acm-header
Sign In

Communications of the ACM

Communications of the ACM

The Recodable Locking Device


The Recodable Locking Device (RLD) is a mechanical switch constructed using polycrystalline silicon surface micro-electro-mechanical systems (MEMS) technology. Polysilicon surface micromachining is a process for manufacturing MEMS, which is based on the manufacturing methods and tool sets used to fabricate integrated electronic circuits. The RLD was produced using Sandia National Laboratories' unique multilevel mechanical polysilicon surface micromachining technology. Multiple levels of structural polysilicon create significant opportunities for complex devices, such as the RLD, that are not possible in processes with fewer levels of structural polysilicon.

The RLD performs two primary functions: code discrimination and energy switching. The RLD contains six decimal-encoded wheels creating a population of one million different codes. Since it is only stored in the mechanical device, discovery of the code is not possible through software operations. After the RLD verifies proper code entry, it mechanically actuates a switching element. The preferred implementation is an optical shutter blocking the path between an optical source and detector. Other implementations include electrical switch contacts and a pop-up mirror for routing optical energy.

Back to Top

Fabrication Process

Sandia's surface silicon micromachining is a lithographic process using 11 mask levels to create four levels of polycrystalline silicon [1] (or polysilicon—the shorthand term). The process yields three movable levels of polysilicon in addition to a stationary level. The four-level polysilicon micromachining process enables the fabrication of articulated machinery with moving rotational joints and overlapping structures.

Devices are created by alternately depositing a thin film, photolithographically patterning the film, and then performing chemical etching. By repeating this process with layers of silicon dioxide and polycrystalline silicon, complex three-dimensional shapes can be formed. The shapes themselves result from the fabrication process in conjunction with a series of two-dimensional masks that define the patterns to be etched. In addition, a friction-reducing layer of silicon nitride is placed between the layers that form bearing surfaces. At the end of the fabrication process, the silicon dioxide is chemically removed, leaving behind the mechanical structures comprised of polycrystalline silicon. Figure 1 shows a cross section schematic of the layers associated with the technology, with no patterning. Figure 2 shows the cross section of an actual gear on a hub, along with a pin joint contained in the gear.

The primary obstacle to multilevel polysilicon fabrication is the severe wafer topography generated by the repetition of film depositions and etching. The introduction of chemical mechanical polishing to the process has largely eliminated this obstacle and created significant opportunities for complex devices, such as the RLD.

The RLD is batch-fabricated on 150mm (6-inch) silicon wafers identical to microelectronic devices. The individual RLD dies are nominally 4.6mm × 9.2mm × 0.6mm (about the size of a typical shirt button) and feature mechanical wheels that are 300 microns in diameter (approximately the size of the period at the end of this sentence). Electrical connections to the device are made through wires bonded to pads around the periphery of the die and the unit can be packaged in a standard integrated-circuit package.

Back to Top

Description of the Code Setting and Comparison Functions

The combination to the RLD can be any number with a maximum of six digits, including zero and 999,999. The code is stored in six mechanical wheels, one for each decimal digit. Each wheel has three sets of notches located around its periphery, as shown in Figure 3. The notches represent the equivalent of decimal numbers zero through nine. Each set of notches has a different function. The left set of notches (see Figure 3) is used for driving the code wheels. The top set is used for a mechanical code comparison function. The right set is used as a means of mechanical detent to hold the gears in a stable position during operation. One of the comparison notches is deeper than the rest to accept a tab on the try bar, the rectangular structure near the top of Figure 3.


The RLD is considered unspoofable and hence assurances can be made about its robustness based on physical security that totally isolates the owner functions from the operating system or other software in the system.


The code is stored in the device as the angular orientation of each wheel. Each wheel is controlled by a mechanical pawl that rotates it either clockwise or counterclockwise. Electrostatic comb drives convert electrical signals to mechanical work and provide motion to the pawl. Each wheel and mechanical pawl has its own comb drive. The comb drives are electrically connected so that owner of the device can rotate the wheels in both directions but a user can only rotate the wheels counterclockwise.

The comb drives have three electrical connections each: clockwise, counterclockwise, and ground. Imagine a typical IC dual in-line package (DIP) with metal pins protruding along each side. The pins on one side represent public access; the pins on the other represent user access. The comb drives are wired with only the ground and the counterclockwise pads connected to the public pins. All three drive pads are connected on the owner's side. When installed correctly, a user can only access one side of the device and has no opportunity to rotate the wheels clockwise.

This arrangement allows the owner to set combinations in the lock and allows the user to enter a trial value, that is, attempt to unlock the device. The owner sets a code in the lock by first rotating all wheels fully clockwise to a mechanical stop. The mechanical stop provides a fixed reference for recoding and allows the owner to reset or change the code without knowing the current code value.

When the wheels are against their respective stops the pawls are all at the first driving notch, which translates into a temporary code of all nines. Each wheel is then rotated counterclockwise by its respective pawl mechanisms one notch at a time until it is advanced the number of notches equivalent to the desired decimal number for that wheel position. After all six wheels have been advanced to their desired positions, the code is considered set, that is, the wheels now represent a number between zero and 999,999.

Figure 4 shows a schematic diagram of an RLD with three wheels. The try bar, used for code comparison, is shown above the wheels. The comb drives and pawls are not shown for clarity. The device is initially set to the code 839. To unlock the device, each code wheel must be rotated counterclockwise to align the deep slot with the tabs on the try bar. Rotations are quantized to fixed angles by the drive slots (not shown) so that one unit angular displacement relates to code number. Larger rotations correspond to larger code numbers.

A user unlocks the lock by rotating each wheel forward in a counterclockwise direction the exact number of notches it takes to align the deep slot with the try bar tab. When all six wheels have been advanced the exact amount dictated by the preset code, a successful code comparison is accomplished by driving the try bar tabs into a deep slot on each gear. Figure 5a shows the RLD after a correct code entry. The try bar tabs are fully engaged in the deep slots. The resulting motion of the try bar is used to operate the output switch.

The deep slot is only presented to the try bar when the respective wheel has been rotated to the "zero" position. All six wheels must be advanced the exact number of positions so that they all are in the zero position. Any gear that is not is this position will be presenting a shallow notch and will prevent the try bar from penetrating the required depth for a successful comparison. Figure 5b shows the RLD after a user entered an incorrect code. The progress of the try bar is blocked by the wheel preventing full motion and operation of the energy switch.

The try bar is a single piece that spans all six wheels with a comparison tab for penetrating the deep slot in each wheel. This structure for one wheel can be seen in Figure 3 and it shows a successful comparison, with the tab fully penetrating the deep slot. Since the tab is fully engaged in one wheel, the other five wheels (not shown in the Figure 3) must also be set in the zero position.

The extra depth of the deep slots permits the required mechanical travel to confirm a code comparison. This motion can be used directly to activate a switching element, such as an electrical contact or shutter, or the motion can be used to unlock another linkage to operate the switching element, like a pop-up mirror.

The output device is mechanically tied to the try bar. In the preferred implementation, translation of the try bar also moves the shutter opening an aperture between the optical source and detector. If the trial value is incorrect after one or more attempts, the RLD mechanically locks and will not allow any further trials until reset by the lock owner. Furthermore, the RLD inhibits any movement of the mechanical shutter that blocks the optical path. If the trial value is correct, the try bar mechanically allows the activation of the switching function (movement of the mechanical shutter). The switching function is comprised of optical transmitters and receivers that are separated by an air gap. The information can be transmitted across the air gap to the optical receivers when and only when a mechanical shutter is physically moved out of the way. The mechanical shutter physically occupies the air gap either blocking or enabling the passage of optical information. The mechanical shutter is moved only with a successful unlock operation or when the owner returns it to the locked state.

Back to Top

Description of System Usage

Functionally, the RLD provides a one-part-per-million electromechanical combination lock with the shackle function provided by either an optical or electrical switch. The optical output switch, which is being integrated into the next version of the RLD, comprises optical transmitters and receivers that are separated by a movable mechanical shutter that resides in an air gap between them. Movement of the mechanical shutter opens or closes the optical paths, thus constituting the switching function.

In the locked position, the output switch can provide both normally open (shutter blocks the optical path) and normally closed (shutter completes optical path) switch functions. When a user provides a combination code that matches the one set by the owner, the RLD is unlocked. That is, the mechanical shutter is moved, changing all of the normally open output switches to closed and the normally closed output switches to open.

The lock owner can set the combination to any decimal value from zero to 999,999 by adjusting the positions of the six code wheels. The input to the RLD is provided electrically and is converted to mechanical motion by electrostatic comb drives. All code management and operational functions are provided by comb drives. These functions include: setting and resetting the lock combination by the owner, user attempts to unlock, mechanical code comparison after entry of a trial value, single-try lockup release (restoring the lock to a usable state after a failed unlock attempt), and shutter movement from locked to unlocked state.

The RLD is considered unspoofable and hence assurances can be made about its robustness based on physical security that totally isolates the owner functions from the operating system or other software in the system. The combination code is only represented in the mechanical code wheels and is never needed within the software system for any reason. Hence, software deception or diversion cannot be used to discover the code. The public side of the RLD is available through the operating system for local or remote access. The secure side is only accessible from the host machine. Several design features in the RLD prohibit the user from attempting any form of manipulation that might defeat the lock.

The RLD as realized in surface silicon MEMS technology (physically very small) opens up substantial opportunities in computer systems safety and security. The device can easily be configured to meet specific application needs, such as number of decades in the code, number of trials before lockup, number of output switches, and parallel or serial entry of the code. The device is packaged identically to microelectronic devices.

Back to Top

Applications

The original intent for the lock was as a safety device in high-consequence systems. For example, it can be used to inhibit the generation of critical actuation signals until it has been unlocked by a unique number generated in real time by a complex software-based system. An example of such usage is in a radiation therapy machine for cancer treatment.

The software that operates such a machine would be forced to generate a unique number throughout the operation sequence leading to the generation of the treatment dose for the patient. The generation of this unique number provides strong confidence that the entire operation of the machine, including operator interaction, has been properly (faithfully) performed prior to allowing the excitation of the radiation producing equipment. The unique number that signifies correct operation is preset in the RLD. If that number is presented to the RLD, it will unlock as described earlier. If any step is not performed in the proper sequence, an incorrect number will be generated, and the RLD will remain locked and not allow passage of the critical control signals that are required to activate the radiation generator.

Secondarily, the RLD can be used as an extremely high-assurance lock to inhibit unauthorized access to highly protected information within a software-based system, such as a personal computer. In this application, the RLD holds the asset in an inhibited state until authorization is established and would be typically returned to the inhibited state immediately after completion of the access. This application is in contrast to a highly interactive multiuser environment, such as Web access, where the goal is to provide uninhibited access to information resources once access is granted through a firewall system, if one exists.

Another possible use for the RLD in computer security is for intentional use denial as a mitigation method when an adversarial attack is detected. In this mode, the RLD is placed in critical information paths or control elements and would freely allow information flow under normal conditions (normally closed switches). When an attack is detected, a very select number of people would have the RLD combination code(s) and could inhibit any or all of the selected information paths in which the RLD was placed, thereby effecting an adminstrative use denial function.

Back to Top

References

1. Sniegowski, J.J. Multi-level polysilicon surface-micromachining technology: Applications and issues. ASME 1996 International Mechanical Engineering Congress and Exposition, Proceedings of the ASME Aerospace Division, AD-Vol. 52 (Nov. 1996, Atlanta, GA), 751–759.

Back to Top

Authors

David Plummer ([email protected]) is the manager of the Electromechanical Engineering Department at Sandia National Laboratories in Albuquerque, N.M.

Larry J. Dalton ([email protected]) is the manager of Sandia National Laboratories' High Integrity Software Systems Engineering Department and High Integrity Systems programs in Albuquerque, N.M.

Frank Peter ([email protected]) is a senior member of the Technical Staff in the Electromechanical Engineering Department at Sandia National Laboratories in Albuquerque, N.M.

Back to Top

Footnotes

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the U.S. Department of Energy under contract DE-AC04-94AL8500.

Back to Top

Figures

F1Figure 1. Schematic of process layers.

F2Figure 2. Cross section of gear on a hub.

F3Figure 3. Code wheel with a try bar.

F4Figure 4. Schematic of RLD set to code 839.

F5AFigure 5a. RLD after a correct code with try bar fully engaged.

F5BFigure 5b. RLD after an incorrect code. A wheel is blocking try bar.

Back to top


©1999 ACM  0002-0782/99/0700  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 1999 ACM, Inc.


 

No entries found