Patent Grant
6962294
The invention relates to an integrated circuit having a plurality of physical planes, security-critical circuit components arranged in a lower plane and data lines arranged in an upper plane in such a way that they are situated at least in part above the security-critical circuit components.
In principle, integrated circuits are constructed in such a way that the actual semiconductor components are arranged in a lower plane, the so-called active plane. The wiring of the semiconductor components is implemented in planes lying further above, the so-called metal planes. Depending on the complexity of the circuit, a plurality of metal planes is required in order to carry out a complete wiring. The individual metal planes are electrically isolated from one another by an insulation line. In general, attempts are made to keep the number of metal planes as low as possible, since each additional metal plane leads to a considerable increase in costs in the production of the integrated circuit.
Further requirements are made of integrated circuits which comprise security-critical circuit components. These relate to the repulse of attacks an the integrated circuit, the aim of these attacks being to covertly discover the internal processes in the security-critical circuit components or the construction thereof and thus to obtain the opportunities for manipulation or for unauthorized operations. Such attacks are known as probing, forcing, FIB, etc.
In especially security-critical cases, the affected regions are covered with an active shield and, if appropriate, an additional metal plane is provided for this in the case of an active shield, regions of a circuit are covered with a multiplicity of additional lines for which voltage and/or current flow are monitored in order to be able to detect a physical attack. A particularly critical application is present for example in an integrated circuit for DES implementation. In this application, the keys used are stored, in plain text. If an attacker succeeds in physically accessing the security-critical circuit components, the attacker can read out the keys and use them improperly.
An additional property of an integrated circuit for DES encryption that makes the construction more difficult lies in the fact that DES is very wiring-intensive owing to the many permutations. Therefore, a plurality of metal planes have to be provided anyway in order to avoid power and timing problems which result if it is attempted to dispense with a metal plane. Moreover, this would lead to enlargement of the area. The function of an active shield is nevertheless indispensable in order to ensure the security that is necessary for the application.
Therefore, it is an object of the invention to specify an integrated circuit which ensures the security of an active shield without requiring an additional metal plane for this.
This object is achieved by means of an integrated circuit of the type mentioned in the introduction which is characterized in that a detector circuit is provided for identifying an attack on the integrated circuit, having a transmitting device for feeding predetermined test data into the security-critical circuit components, a receiving device for receiving the first data processed by the security-critical circuit components, and an evaluation device for comparing the received data with expected data and for ascertaining a non-correspondence, the data lines carrying data that are necessary during the processing of the data fed in.
Thus, in the integrated circuit according to the invention, data lines present anyway are used to construct an active shield. In the event of an attack on the integrated circuit, firstly the data lines located at the top are affected. This would have the effect that the received data do not correspond to those data which are actually expected. In this case, the data lines may carry the first data to be processed themselves or data that have already been processed, or else second data required for processing. In the case of an integrated circuit for carrying out an encryption, the data lines carry the encrypted data or second data which are required for the encryption.
In a particularly advantageous embodiment of the invention, known test data are encrypted using a known test key. The form of the data to be obtained is thus known. In this case, the provision and plausibility check may be effected both by a control unit outside the encryption unit and by the encryption unit itself If the plausibility check gives an incorrect outcome, further use of the encryption unit is no longer permitted, or countermeasures are initiated.
In this case, the data lines connect an encryption memory, in which second data that are necessary for encrypting first data are stored or can be stored, to processing units for combining the first with the second data and a key. There are a large number of such lines present, so that a high security is achieved. Consequently, the test circuit according to the invention can be integrated into the rest of the circuit design particularly simply.
Particularly in the case of cyclic transmission of test data, it is possible to provide a security function which corresponds to that of an active shield. No additional metal plane is necessary in this case.
The invention is explained in mare detail below using an exemplary embodiment. In the figures:
In order to be able to use the existing data lines 11 for the test purposes intended according to the invention, two changeover devices 9 and 10 are provided on both sides of the data lines. Instead of data being fed in by the first regular circuit components 7, it is possible, by means of a corresponding changeover of the first changeover device 9, for data to be fed into the data lines 11 by a transmitting device 2 assigned to the detector circuit. Predetermined test data 5 known within the integrated circuit are used for this purpose.
On the other side of the data lines 11, the data are forwarded to a receiving device 3, instead of to the second regular circuit components 8, by means of a second changeover device 10. An evaluation device 4 connected to the receiving device 3 compares the received data with expected data which should be received in the case of an intact transmission path. If the evaluation device 4 ascertains that the received data do not correspond to the expected data, an alarm signal 13 is output. This can be used to trigger countermeasures.
Further circuit components 12, for example encryption components, may also be arranged in each case between the data lines 11 and the changeover devices 9 and 10. The components may be provided either on one side of the data lines or else on both sides. If an encryption document is provided, then the test data are encrypted using a known key, so that, at the receiver end, it can again be ascertained whether the received data correspond to expected data. In this case, the comparison can be effected without previously decrypting the data again.
The simplest way of explaining the exemplary embodiment of
The test data 5 are thus fed to the encryption unit 22 by a transmitting device 2, in which unit combination with the second data from the memory 33 and a test key 23, stored in a key register 24, is effected. The encrypted data are then fed to a receiving device 3. An evaluation device 4 connected to the latter compares the received data with expected data 6. If these do not correspond, it is assumed that manipulations to the data lines 11 have been made. In order to indicate this, an alarm signal 13 is output, and can be used to trigger countermeasures. By way of example, it may be expedient for the keys stored in the key register 24 to be erased when an alarm signal occurs.
Further countermeasures are familiar to the person skilled in the art and can be integrated without any problem.
Proceeding from the first S-box selector 22, the first data, which have now already been partly processed, are transmitted to a second S-box selector 25, where a combination of the data that have already been partly encrypted with a further key 26, loaded from the key register 24, and second data from a second S-box memory 27 is carried out in the same way. Identical processes take place in a third S-box selector 28 and a fourth S-box selector 30, keys 29 and 31 respectively being used, loaded from the key register 24. Afterwards, the data are transferred to the interface device 32 and can be read out there.
It becomes clear from
The processing of test data and a test key described with reference to
In order to obtain good protection, the transmission of test data must take place at cyclic intervals. The shorter the intervals, the higher the protection. In this case, carrying out a transmission of test data at irregular intervals, for example under the control of a random generator, may be taken into consideration. This makes it more difficult for an attacker to utilize the intervals between the “shield checks”. In this case, the test data may be transmitted in a manner triggered by hardware or software, depending on the application.
| Number | Date | Country | Kind |
|---|---|---|---|
| 102 23 176 | May 2002 | DE | national |
This application is a continuation of International Patent Application Serial No. PCT/DE2003/01357, filed Apr. 25, 2003, which published in German on Dec. 4, 2003 as WO 2003/100857, and is incorporated herein by reference in its entirety.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4868489 | Kowalski | Sep 1989 | A |
| 5060261 | Avenier et al. | Oct 1991 | A |
| 5247577 | Bailey et al. | Sep 1993 | A |
| 5465349 | Geronimi et al. | Nov 1995 | A |
| 6246970 | Silverbrook et al. | Jun 2001 | B1 |
| 6565007 | Kreft | May 2003 | B1 |
| 6752321 | Leaming | Jun 2004 | B1 |
| 6798234 | Laackmann et al. | Sep 2004 | B2 |
| 6805297 | Okaue et al. | Oct 2004 | B2 |
| 20010033012 | Kommerling et al. | Oct 2001 | A1 |
| Number | Date | Country |
|---|---|---|
| 100 58 078 | Apr 2002 | DE |
| WO-9818102 | Apr 1998 | WO |
| WO-0217398 | Feb 2002 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20050092848 A1 | May 2005 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | PCT/DE03/01357 | Apr 2003 | US |
| Child | 10995961 | US |
