DE3023427A1 - MOBILE DATA KEEPER - Google Patents

Abstract

Arranged in a plastic housing (11), which is closed on all sides and is provided with a metal shielding (113), are a main data memory (20) for useful data to be protected against unauthorised access, two identification devices (40, 70; 30, 60) and a system of destruction sensors (941, 942, 961-965) with associated switching stages (90-96). The two identification devices control the electrical access to the main data memory (20) by permitting a writing or reading operation only when a preceding identification process, in which identification information is fed in from outside, was positive. The destruction sensors, which are in particular current and pressure sensors laid in the walls of the container, respond to violent opening of the container housing (11) and initiate via a switching stage (90) erasure of the main data memory (20). <IMAGE>

Description

Mobile data holder

Mobile data container The invention relates to a mobile data container for the storage of user data secured against unauthorized access with a locked Housing in which there is a main data memory for the user data and an identification device which identification data supplied to it from outside are stored in it Compares identification data and, depending on the comparison result, access to the main data memory releases or blocks, and which data container is also equipped with sensor means is part of the make stored data unusable or destroy it.

The safe storage of all types of data or the backup of the Data against unauthorized access is becoming increasingly important.

In stationary systems, e.g. in banks and vaults or computers the protection against unauthorized data access is mainly carried out by storage of the data in rooms with solid walls, monitoring of the rooms by means of various Alarm systems and / or by appropriate personnel and by various more or less complicated identification systems that have automatic access only allow authorized persons to do so. However, these measures are for mobile data containers, which in many cases should or must be as small and light as possible, in general impractical.

For many purposes of such a data container, in particular for example in diplomatic communications or as a key storage for Encryption systems, it can be accepted that the stored data deleted or destroyed so that they could get into the hands of unauthorized persons.

The object of the invention is therefore to provide a mobile data container create that does not allow unauthorized access to the data it contains. In particular, this data container should not require solid walls and the like, so that it can be made correspondingly small and light, and no monitoring by-any staff required. Furthermore, the data stored in it should destroyed or made unusable if the container is unauthorized or forcibly is opened. ~~~~ - ~~ This object on which the invention is based is achieved according to the invention solved by the measures and features listed in claim 1.

In the DE-OS. 2. 224 937 is an identification system with data carriers described on which identification data and any other, e.g. a bank account of the user pertaining data are stored, the latter being through the identification data are secured. The data memories are against physical by a sensor system Access protected by this system automatically and in the event of an access attempt inevitably deletes the identification data. In this way the disk will useless and worthless as a means of identification, the remaining data stored However, they are retained and can therefore fall into unauthorized hands. These well-known Data carriers are therefore used to solve the problem on which the d # riErt # change is based not suitable.

In the following the invention is explained in more detail with reference to the drawing. The figures show: FIG. 1 a schematic sectional illustration of an inventive Data container with a block diagram of the electronic functional groups it contains, 2-4 various details from FIG. 1 in a schematic representation, FIG. 5 a schematic representation Sectional view of a loading device for storing data in the container, and FIG. 6 shows a schematic representation of an identification device equipped with the container.

The data container designated as a whole by 1 in FIG a housing 11 with, for example, a trough-shaped lower part 111 and a flat one Cover 112. The housing is made of non-conductive plastic and is on the outside on all sides surrounded by a metal layer 113.

In the data container 1 there is, among other things, a main data memory 20, a central identification data memory 30 and a subscriber identification data memory 40. Each of these three memories has a memory controller 21 or 31 or 41, one Extinguishing device 22 resp.

32 and 42 and a writing gate 23 and 33 and 43, respectively. Above the write gates can be attached to the data container 1 via those provided on its housing 11 Plug connections S1 or S2 or S3 are supplied with data and loaded into the memory. The assignments of the data to the individual storage locations, etc., take care of the Memory controls, which in turn have a multiple plug connector G in the The housing wall of the container receives the necessary control commands, such as switching over from reading on writing etc., received. The memory expansions include essentially an address counter and an address decoder and are therefore not detailed.

Furthermore, a quartz-controlled clock 50 with a Coaster 51 for the clock cycle, a setting stage 52 for adjustment or correction the clock 50 and a time switch 53 cooperating with the clock is provided. The setting stage 52 and the time switch 53 are connected by two plug connections U and Z on the container wall can be controlled. - The control of the timer 53 is by a gate 54 switched on in its connection line to the plug connection secured.

Two work with the two identification data memories 30 and 40 Comparison stages 60 and 70 together. On the one hand, these receive data from the two Save 30 and 40 and on the other hand over a control panel identification data connector ZI or via a gate 71 via an input keyboard arranged in the housing wall 72 for subscriber identification data. Instead of using the keyboard 72, the comparison stage 70 also via a subscriber identification data connector TI identification information supplied from the outside. This can be used instead of the keyboard at the participant's Identification, but also, as will be described later, during identification can be used by the charging center.

The subscriber identification data memory 40 also contains Another subscriber identification data to be explained for the data container 1 specific information, e.g. a sequence number. This information is stored in such a way that that it can be read out directly via a further plug-in connection L.

The comparison stage 70 controls the gate 43 and a read gate 24, which the data flow. from the main data memory 20 to a read plug-in connection L1 controlled. This reading gate 24 is also controlled by the tent cheater 53 at the same time. An alarm output of the comparison stage 70, at which the comparison result is signaled is connected to a corresponding plug connector A2 on the container 11.

The comparison stage 60 blocks or opens the write gates 23 and 33, the gate 54 and the setting stage 52 for the clock 50. This stage also has 6Q has an alarm output that is connected to a corresponding plug connection A2 in the container wall connected is.

There is also a mixer 80 in the data container and in the supply line A pluggable bridge 81 is provided from the memory 30 to the mixer stage, the latter is usually open. When the bridge is inserted, the are from the main data memory 20 and the central identification data memory 30 with each other e.g. Modulo-2 mixed. The mixed product reaches the reading connection via the reading gate 24 L1. When not plugged in or open Bridge 81 can use the central identification data do not get to mixer 80. In this case, they come from the main data memory 20 read out data unmixed to the read connection L1.

By means of a further bridge 82, as will be explained further below If necessary, the outputs of the two comparison stages 60 and 70 are interconnected will.

Furthermore, there is a relay stage 90 in the data container 1, the is controlled by various destruction sensors still to be explained, and a power source 100, for example in the form of a rechargeable battery. The power source 100 is connected to two further plug connections B1 and B2 on the housing wall.

The relay stage 90 controls three switching contacts 91-93. At rest the relay stage 90, which corresponds to its normal state, is where the switching contacts are located in the position shown. The contacts 92 and 93 are used to store 20 to 40 or their associated controls 21-41 the supply voltage from the power source 100 and the system clock T supplied by the coaster 51. Contact 91 is open. When inspreehan the relay stage 90, the contacts are in their position, not shown convicted. The voltage and clock supply for the memory are interrupted and via the contact 91, the extinguishing devices assigned to the memories 20-40 22-42 supply voltage supplied. The interruption occurs depending on the type of memory the storage supply and / or the activation of the extinguishing devices the destruction or deletion of the stored data.

Storage media that are preferred are those with non-moving storage media, such as RAM memory, GGD memory or magnetic bubble memory in question, however magnetic tape storage or magnetic disk storage can also be used.

The extinguishing equipment depends of course on the type of application to the memory. In the case of magnetic bubble accumulators, for example, the extinguishing devices 3 consist of a coil 221 which has a sufficiently strong magnetic field able to generate is which destroys the stored data. With other storage systems that also do not lose their charge in the event of a supply voltage failure lose automatically, the erasing devices can e.g. from a smaller controller exist, which in quick succession all memory locations with the same information, z-.B. loads with lots of binary zeros. In the case of volatile memories containing the lose stored information in the event of a supply voltage failure and / or cycle failure, the extinguishing devices can of course also be dispensed with.

The three memories 20-40 could of course also be divided into areas a single larger memory and e.g.

can also be divided into several memory blocks. Even the three memory controllers 21-41 could be replaced by a single one, correspondingly more complicated Control be implemented. The three-division shown was only for reasons chosen for the sake of clarity.

The relay stage 90 is controlled from here e.g. three sensor stages 94-96, in turn with corresponding sensors or sensors that are inside the data container or are arranged in the walls, work together.

The sensor stage 94 is a current detector. The associated sensors are formed as thin wire lines 941 and 942, which are in the walls of the container are laid and connected to the voltage source 100 via series resistors 943 and 944 are. The course of the wire lines in the container walls is from container to container different and preferably chosen at random. At the transition points between the container base 111 and the cover 112 are the lines by plug connections 945 and 946 connected. If one of the lines is somewhere due to an external influence is interrupted, the current sensor stage 94 brings the relay stage 90 to respond and thereby initiates the data deletion processes already described above.

The sensor stage 95 is controlled by a pressure sensor 951, the responds to the internal pressure Pl prevailing in the data container 11.

The sensor stage 95 brings the relay stage 90 to respond when the internal pressure e.g. as a result of forcing the data container to be opened by a certain value Amount deviates from a target value.

At some point in the container wall, e.g. here in the floor Provide the plastic wall with an opening 952, but through the metal chamfer 113 is hermetically sealed. In case the metal shield for some reason is removed, this leads to a pressure change in the data container and thus to the Response of relay stage 90.

The sensor stage 96 works with a large number of differential pressure sensors 961, of which only two are shown in FIG. These differential pressure sensors 961 record the pressures in four channels 962-965 in each connected to them the container walls.

These channels, each paired under the same pressure, run randomly within the container wall.

Such a differential pressure sensor 961 is shown in greater detail in FIG. It essentially contains two z-.B. piezo-electric pressure transducer 966, the each terminate one of the four channels 962-965, and two each to the two to one Channel pair 962-964 or 963-965 belonging pressure transducer connected differential amplifier 967 and 968, their outputs via unspecified lines and plug connections are connected to the sensor stage 96.

In the channel pair 962-964 the pressure P1 prevails in each case in the channel pair 963-965 a different pressure p2. Normally the output signals are both differential amplifiers 968 and 967 must be zero.

If, for example, as a result of forcibly opening the data container, any If the channels are broken up, the pressure is equalized with the environment and the or the differential amplifiers are out of balance. This is then handled by the Sensor level 96 is evaluated accordingly and ultimately leads to the response of the Relay stage 90.

Due to the paired arrangement of channels in connection with the differential amplifiers do not have any pressure drift phenomena caused by temperature fluctuations, for example Influence on the function of this stage. By using two pairs of channels each unauthorized access to the container is also ruled out under different pressures to open a space in which there is the same pressure as in one of the ducts.

The channels can be used as cavities within the plastic walls of the Be formed data container. But it is just as possible to use the. channels by means of hoses or pipes that are poured into the container wall are. In the latter case, the hoses or pipelines are preferably made of the same or a chemically and physically similar material as the container wall, so that it is not possible, for example, through chemical or physical removal To gain access to the canals without destroying them.

The various destruction sensors (lines, channels, etc.) are how already said, different from container to container and preferably randomly arranged distributed in the container walls. This can be done, for example, by means of a random generator controlled processing machines. This ensures that no two containers are designed the same with respect to these sensors and thus the security with regard to unauthorized opening is much greater.

The metallic shield 113 of the data container 1 is intended to prevent that the location and distribution of the destruction sensors using radiographic methods can be found out.

In addition to the three described destruction sensors, of course sensors of a different type may also be provided. So it would be according to, for example Fig. 4 is easily possible at one or more points in the container wall 111 to attach an oscillating circuit 971 with a corresponding detector stage 97 cooperates. The oscillating circuit would change when approaching or, for example, when moving away of the metallic shield 113 and thereby detuned via the detector stage 97 make relay stage 90 respond.

As indicated in FIG. 1 by the dashed lines 921 and 931 is, it would also be possible to use the clock and / or the feed lines to the memory controls lead through the container walls, whereby a further backup would be achieved-.

In Fig. 5 a for loading data into the data container 1 or its memory particularly suitable charging center 1000 is shown.

It comprises a solid container 1001 with a tub-shaped one Lower part 1011 and a cover 1012. The housing is against access by unauthorized persons by means of any conventional measures, which are here only by a Key 1013 are symbolized, protected.

In the interior of the container 1001 there are essentially a Data control computer 1100 and one only indicated here by a dash-dotted line Plug connection 1101 for one or more data containers 1, 1 'etc. Furthermore, a Power source 1200, a switching contact 1201 cooperating with the cover 1012, an OR stage 1300, an acoustic alarm transmitter 1301 and for each data container an optical alarm transmitter 1302 is provided.

The data control computer 1100 is any conventional computer and contains, inter alia, a data source 1110, which is yet to be discussed, and for each to be connected Data container 1, a center identification data memory 1130 and a subscriber identification data memory 1140. In these two memories 1130 and 1140 are for all belonging to the system Data holder stores the individual control panel and subscriber identification data.

The following is the function and mode of operation of the data container l and the charging center 1000. It is assumed that the Container already contains data from a previous loading process, which is now replaced should be.

The data container 1 is brought into the charging center 1000 for this purpose and connected to the computer 1100 via the plug connection 1101. The computer 1100 is only released when the lid 1012 of the charging center is closed, since, as is symbolically indicated here, only then via contact 1201 with supply voltage is supplied. This ensures that the data container no unauthorized manipulations can be made.

First, the data control computer 1100 now reads via the output L-of each container 1, 1 'etc. the sequence number of the relevant data container its memory 40 from. Using this sequence number, the total of the in the memories 1130 and 1140 existing identification data that the respective Container assigned and first the control panel identification data via the connection ZI transferred to the comparator 60 of the respective container l. This' compares now these data with the data contained in the memory 30 inside the container. The comparison result is reported to the computer via port A. In the event of a match the write gates 23 and 33 are released in the data container. In case of non-agreement the acoustic alarm 1301 speaks as well as that of the relevant data holder assigned visual alarm 1302 and any further operation is prevented, what is indicated here by the gates 1131.

If the one stored in the control center and the one stored in the container match Central identification data is stored in the data container via the connection to the memory 30 1 and the memory area of the memory 1130 assigned to this container in FIG Central with a new one, e.g. from a random one contained in the data control computer generator generated, purely random panel identification information loaded.

The next step is to check the for each data container Subscriber identification data. These are derived from the container sequence number defined area of the memory 1140 via the connection TI of the container to its Comparator stage 70 is transferred and there with the from the container internal memory 40 read out data are compared. In the event of a mismatch, a similar procedure is used as for the control panel identification data, an alarm is triggered via outputs A2. If they match, the gates 43 and 24 in the container 1 are released and it new, randomly generated subscriber identification data via the connection S3 of the container 1 in its memory 40 as well as in those defined by the sequence number Read area of the memory 1140 of the data control computer 1100.

For simpler use cases where security is not so must be high, the review of the subscriber identification data in the charging center can also be dispensed with. In this case the connections would just have to be of the computer to the connections S3 and TI of the container are interrupted what is indicated in the drawing by the bridges 1102 and 1103.

After these preparatory control operations, the main data loaded into the main data memory 20 of each data container via the connection S1. The main data comes from data source 1110. The data source can be any be a storing input device, by means of which data are made available can. If the main data is secret key in connection with an encryption system are, the data source can also be a random number generator or the like. This key data generated automatically.

During the various control and charging processes, the accumulators 100 in the data containers 1 also via the connections BL and B2 reloaded.

After loading the main data memory 20, if necessary, via the connection U, the clock 50 is placed around the data container and possibly via the Terminal Z, the timer stage 53 is set.

The latter can be used to set a time window within from which the main data can or must be read out.

This ends the charging process in the charging center and the data container now reach the user. This can only take the main data from the memory 20 read out via the read connection L1. However, it can save the data or do not change the setting of the timer stage 53, as the corresponding Inputs are blocked by the control panel identification data comparison stage 60.

In order to gain access to the main data, the user must first of all the subscriber identification data assigned to the relevant data container Enter the comparison stage 70 via the keyboard 72. This compares the entered Data with the data stored in the memory 40 and gives in case of agreement the reading gate 24 and thus access to the main data memory 20 free.

If the timer stage 53 also releases the reading gate 24, i.e., if the desired data access moment within the predetermined by the timer stage 53 Time window, the main data can then be used from memory 20 can be read out via connection L1. The necessary preparation and As with all other operations, the memory is controlled via the control connection G.

The keyboard 72 or the comparison stage 70 can be designed in such a way that that e.g. if incorrect identification data are entered three times, every further entry blocked and an alarm is triggered. This prevents the unknown Identification data found out by an unauthorized person through systematic trial and error can be.

The electrical access to the stored data from the outside accessible plug connections of the data container is thus through the central and secured participant-specific identification data. Access by force The data container is opened by the various destruction sensors and the prevents them from working together.

The Mixing stage 80. This mixes the main data with the control panel identification data of the memory 30, so that the data that can be taken at the output L1 form a mixed product. When using the data container as a key store in encryption systems then this mixed product can be used as an encryption key, provided that yes Anyway, randomly generated and unknown control panel identification data are the same for all key boxes involved. Under these conditions it is then possible, for example, to only store the control panel identification data memory if the container is opened without authorization to delete, but not the main data memory, as the data it contains without the control panel identification data are anyway unusable and therefore worthless.

For particularly important applications, it can be useful to use the data that is to be stored securely is not encrypted in plain text, but in some way or otherwise processed to save. In Fig.1 is therefore a Processor 83 indicated by dashed lines in the data paths from the write gate 23 to Memory 20 and from this to mixer 80 is switched on and from the control input G can be controlled from.

This processor encrypts the supplied main data with one of them own encryption program and decrypts the outgoing data again. The encryption program is generated by the processor based on key information stored in it, which is loaded into the processor when the data container is loaded. The preparation of the processor is done via the control connection G am, as with the memories Data holder 1.

If the data containers are used to store encryption keys, Of course, all key containers belonging to a connection network must be at the same time are loaded for each connection option within the network in pairs with the same information. In this case the charging center is for simultaneous Recording of several data containers formed. The various controls and such further, however, take place separately for each individual container. The sequence numbers of the individual containers then determine the allocation of the individual key data the respective containers.

The one indicated by dashed lines in FIG. 1 as open or interrupted Bridge 82 offers a further possibility of variation of the data container according to the invention. When the bridge 82 is closed or inserted, an authorized person can be identified Person by means of the comparison stage 70 and the associated release of the writing gate 23, information is written into the main data memory 20 via the write connection S1 and / or the clock 50 can be adjusted via the adjusting connection U. This can be for certain Exceptional situations are desirable and advantageous, but not the rule.

Except for the protection of the stored data with the ones already described It is also possible, for example, to provide a further backup via the readout rate. This is particularly advantageous in connection with encryption systems. So can e.g. the controller 21 of the main data memory 20 be designed so that they are in the cycle T of the clock cycle divided down by the coaster 51 and thus Autonomously controlled by the clock 50 only a certain number of data bits outputs from memory. The whole thing can also be organized in such a way that the Data is read out completely autonomously at certain time intervals specified by the clock 50 and then preferably the relevant memory locations of the main data memory immediately deleted after each output.

Deleting the data that has been read out can also be done by others Applications are desirable. Switching means are therefore preferably in the data container, E.g. in the form of jumpers or the like. Provided by means of which between the Operating modes "delete" and "not delete" can be selected after reading out.

A typical application for the data container according to the invention is its use as a secret key memory in an identification device. Such a device is shown schematically in FIG.

The device consists of two mechanically detachable from one another and electrically coupled parts, namely a test station 2000 and the data container 1. The test station is located at the place where the identification was made should be, e.g. at the entrance of a building or the like. The test station contains a Drive 2001 for the identification cards 2002 to be identified, two reading heads 2003 and 2004 for two card tracks 2005 and 2006, two amplifiers connected to the reading heads 2007 and 2008 and two decoders in 2009 and 2010, two connected to the decoders And gates 2011 and 2012, another And gate in 2013, an alarm generator in 2014, possibly a keyboard 2015 and a central unit that initiates and controls all functional processes Control 2016.

The data container 1 is constructed essentially the same as that according to FIG. 1. Only the functionally essential parts are therefore shown in FIG. 6. In addition to the memory 20 already described and the encryption computer 83, the Data container 1 also has a comparison stage 84, which you can use via an input Compare data supplied to KR with data originating from the encryption computer 83 and Output a signal characterizing the comparison result via an output AL can.

The 2002 identification cards have two pieces of information on their two reading tracks: namely any card number and crypto information that is used in the production of the card was formed from the card number by encrypting it with a secret key. These two pieces of information are now removed from the card during the identification process read and via the And gates 2011 and 2012 and via the inputs KR and NU dem Comparator 84 or the encryption computer 83 in the data container 1 is supplied. The memory 20 contains the secret key used in card manufacture. With this secret key The encryption computer now creates the cryptographic information from the card number. These The cryptographic information formed is now compared with the read-off information and the agreement or mismatch is signaled via the output A1 from the alarm device 2014 signals. Alternatively, the card number can also be entered using the keyboard In 2015.

With conventional identification systems based on this principle work, great care must be taken for the "handling" of the secret key e.g. the key must be sent to the individual identification stations by courier and secured there against unauthorized access. The data holder on the other hand, does not require any special security measures and can, for example, easily be sent by post. No secret information can be extracted from the container, but: only the "good / bad" sign # al.

Blank page

Claims (16)

Claims Mobile data container to protect against unauthorized access secure storage of user data with a closed housing (11), in which is a main data memory (20) for the user data and an identification device (40, 70), which you externally supplied identification data with in compares your stored identification data and depending on the comparison result enables or blocks access to the main data memory (20), and which data container is also equipped with sensor means (90-96), which in the event of forceful or unauthorized Opening the data container will make part of the stored data unusable or destroy, characterized in that the sensor means (90-96) in the main data memory render useless or delete any user data. 2. Data container according to claim 1, characterized in that the ## Sensor means (90-96) in the walls (112, 1117 ~ of the house ~ (119 arranged destruction sensors (941, 942; 962-965) which respond when the walls are breached. 3. Data container according to claim 2, characterized in that the Sensor means (90-96). different from data holder to data holder and preferably randomly distributed and secured against localization from outside. 4. Data container according to claim 3, characterized in that the Sensor means comprise wire lines (941, 942) arranged in the housing walls. 5. Data container according to claim 4, characterized in that the Housing (11) has a metallic shield (113) on the outside. 6. Data container according to one of claims 1 to 5, characterized in that that the sensor means a pressure detector (95,951) for the internal pressure (Pi) of the housing (11) include. 7. Data container according to Claims 5 and 6, characterized in that that the housing walls (111, 112) are provided with an opening (952) which when the shield (113) is removed, the interior of the housing connects to the atmosphere. 8. Data container according to claim 2, characterized in that the Destruction sensors in the housing wall arranged cavities (962, 963, 964, 965), which are in pairs under the same pressure (P1, P2), with each two cavity pairs (962, 963; 964, 965) on two differential pressure detectors (967, 968) are connected, the output signals of which are fed to a differential pressure sensor stage (96) are (Fig. 2). 9. Data container according to one of claims 2 to 8, characterized in that that the sensor means comprise a relay stage (90) which is generated by the destruction sensors is controlled and causes the useful information to be rendered unusable. 10. Data container according to one of claims 1 to 9, characterized in that that the identification device (40, 70) only provides read-out access to the main data memory (20) controlled. 11. Data container according to one of claims 1 to 10, characterized in that that it contains a second identification device (30, 60) which is independent from the first-mentioned identification device (40, 70) the registered access controlled to the main data memory (20). 12. Data container according to one of claims 1 to 11, characterized in that that it contains a timer stage (50, 51, 53) which provides access to the main data memory (20) only allows for a selected period of time. 13. Data container according to one of claims 1 to 12, characterized in that that it is designed for detachable connection to a charging device (1000), which automatically writes the user data into the main data memory (20). 14. Data container according to claim 10 and 13, characterized in that that the loading device (1000) has an identification data memory (1130) in which those required for the second identification device (30, 60) in the data container (1) Identification data are stored, as well as means for automatically entering them Comprises identification data in the second identification device (30, 60). 15. Application of the data container according to one of the preceding claims. for the storage of key data in Ghiffriersystemen. 16. Application of the data container according to one of the preceding claims for storing key data in identification systems.