An aspect of the present invention relates to a smart card chip arrangement and a method for protecting a smart-card chip arrangement from unauthorized tampering.
Smart cards are used for a multitude of applications and, in order to protect the user or provide identification for the relevant application, they generally perform some form of encryption or decryption. To this end, a secret key is stored on the chip to render the cryptographic function unique. Attacks from unauthorised parties aim to retrieve this secret key and hence allow the attacker to duplicate or otherwise misuse the smart card. There are two classes of attack: non-invasive and invasive. The present invention is able to find a solution to the latter.
Invasive attacks on smart cards are performed by partially or completely removing the packaging of the microchip of the smart card. The depackaging step may be achieved using acids, solvents, laser cutters, or chemical mechanical polishing. A comprehensive description of the various techniques employed is given in the paper “Design Principles for Tamper-Resistant Smartcard Processors” by Oliver Kömmerling and Markus Kuhn, Proc. of the USENIX Workshop on Smartcard Technology, Chicago, 10-11 May, 1999, pp. 9-20. Once the microchip has been depackaged, attacks are conducted by probing metal tracks. A focus ion beam (FIB) technique could be employed to drill fine holes in the insulating layer in order to expose fine metal tracks without disturbing other components.
A standard countermeasure against invasive attacks is to cover the chip surface with a metal protection grid. More specifically, the topmost metal layer of the microchip is patterned to cover the chip with a meandering grid. This grid prevents access to the circuitry below and also shields the chip circuitry from electromagnetic emissions, which may leak sensitive information (see, e.g., the Dallas DS5002FPM secure microprocessor). Damage to the protection grid is detected, which triggers an alarm and thus causes the chip to refuse further operation.
A second method for protecting the encryption keys is to randomly distribute small particles directly into the packaging of the microchip. The cryptographic key is then derived from measuring the distribution of these particles. To achieve this, the chip includes sensors that are sensitive to at least one physical property of the particles (e.g. magnetism). If the packaging is damaged or removed, the encryption key is lost. This structure is the subject of U.S. Pat. No. 7,005,733 by Kömmerling et al.
A drawback with the use of metal protection grids is that the depackaging procedure leaves the protection grid intact. Generally speaking, it is necessary to actively break the metal protection grid in order to trigger the alarm. However, since the feature size of the metal grid is much bigger than what the FIB can achieve, it is highly likely that the grid will be unable to provide sufficient protection (as demonstrated by Kommerling and Kuhn in the above-mentioned paper). A small hole can be excavated between grid lines to expose signal wires for probing by the attacker, without triggering the alarm.
As regards the particle-distribution technique, this solution is elegant in principle, but requires a multitude of sensors to be positioned on the chip surface. This is expected to consume significant area on the chip and complicate routing, not least because metal wires running above a sensor will shield it from the relevant property of the packaging, thereby defeating the purpose.
In accordance with a first aspect of the present invention there is provided a smart-card chip arrangement, comprising: a smart-card chip; an organic conductive layer disposed on a surface of the chip; and signal-deriving means for deriving a signal dependent on one or more properties of the organic conductive layer; wherein said organic conductive layer and said signal-deriving means are configured such as to detect an invasive attack on said chip.
The organic conductive layer may be an organic semiconductor layer, which may be composed of a material from a group consisting of F8T2, P3HT and pentacene. Alternatively, or additionally in another region of the chip, the organic conductive layer may be an organic conductive polymer. Such an organic conductive polymer may be composed of a material from a group consisting of PEDOT and PSS.
The organic conductive layer may be a layer covering at least those areas of the chip containing circuitry, which, if invaded, could lead to the detection of a cryptographic key employed by the chip. It may be constituted as a strip of organic conductive material arranged in a meandering pattern on said chip surface. The meandering pattern may be a spiral or a wave-like shape.
The organic conductive layer may be provided as two or more layers separated by an insulative layer. Viewed looking down onto said organic conductive material, the meandering pattern of one of said layers may at least partially overlap the spaces inside the meandering pattern of another of said layers.
The meandering pattern may comprise first and second castellated strips of the organic conductive material, the first and second castellated strips each comprising first strip sections, which are formed in one of the two layers and are extensive in a direction substantially orthogonal to the general direction of the meandering pattern, and second strip sections, which are formed in the other of the two layers, are extensive in substantially the general direction of the meandering pattern and link neighbouring ends of the first strip sections.
The meandering pattern may be in discrete sections, said discrete sections being associated with respective said signal-deriving means. Alternatively, the meandering pattern may be in one continuous length.
Advantageously, a surface of said organic conductive layer facing away from said chip may vary in height above said chip surface over at least part of the extent of the organic conductive layer. There may be an insulative layer disposed between said chip surface and said organic conductive layer, wherein said insulative layer varies in thickness over at least part of the extent of the organic conductive layer.
The signal-deriving means may be configured such as to apply a first electrical quantity to one part of said organic conductive layer and to detect a second electrical quantity at another part of said organic conductive layer, said second electrical quantity, or differences between said first and second electrical quantities, being due to the application of said first electrical quantity and being determined by properties of said organic conductive layer, and to compare said second electrical quantity or said differences with a reference electrical quantity or reference differences, respectively.
The first electrical quantity may be a voltage or a current, and said control means may be configured such as to detect a time delay with which said voltage or current appears at said another part of said organic conductive layer, said time delay being compared with a reference time delay characterizing said smart-card chip arrangement in an uninvaded state thereof.
The first and second electrical quantities may be first and second waveforms, respectively, and said control means may be configured to compare said second waveform, or differences between said first and second waveforms, with a reference second waveform or reference differences, respectively, characterizing said smart-card chip arrangement in an uninvaded state thereof.
The signal-deriving means may be configured to determine a transfer function of said organic conductive layer and to compare said transfer function with a reference transfer function characterizing said smart-card chip arrangement in an uninvaded state thereof.
The signal-deriving means may be configured to apply a voltage or a current to one part of said organic conductive layer, and to detect a time delay with which said voltage or current appears at another part of said organic conductive layer, said control means comprising combining means for combining said detected time delay with reference data, thereby to provide a cryptographic key employed by the chip, and comparing means for comparing said cryptographic key with a cryptographic key obtained in an uninvaded state of said smart-card chip arrangement.
There may be two of said organic conductive layers and said signal-deriving means may comprise: a signal-input means for inputting an input signal to one part of each of said organic conductive layers; a signal-output means for outputting an output signal from another part of each of said organic conductive layers; a first comparison means for forming a first comparison between said output signals, and a second comparison means for forming a second comparison between the results of the first comparison and a reference signal held in a memory.
The first comparison means may be a difference-determining means for forming a difference between said output signals, or a dividing means for forming a ratio of said output signals.
The organic conductive layers may be in different layers with an insulative layer therebetween, said organic conductive layers at least partially overlapping each other. Alternatively, or additionally, the organic conductive layers may be side-by-side in the same layer.
In a second aspect of the present invention, a smart card is provided comprising a smart-card chip arrangement as described above.
The invention further provides, in a third aspect thereof, a method for protecting a smart-card chip arrangement from unauthorized tampering, said smart-card chip arrangement comprising: a smart-card chip protected by a cryptographic key, and an organic conductive layer disposed on a surface of the chip; said method comprising the steps of: performing a self-characterization process, in which an initial signal dependent on one or more of the initial properties of said organic conductive layer before tampering is derived; performing one or more subsequent tests on said smart-card chip arrangement in order to derive subsequent signals dependent on said one or more of the properties of said organic conductive layer; comparing said subsequent signals with said initial signal, and, if said subsequent signals differ substantially from said initial signal, providing to said chip a signal indicative of said tampering.
A fourth aspect of the present invention features a method for protecting a smart-card chip arrangement from unauthorized tampering, said smart-card chip arrangement comprising: a smart-card chip protected by a cryptographic key, and an organic conductive layer disposed on a surface of the chip; said method comprising the steps of: establishing an initial value of said key before tampering, said value being dependent on determined properties of said organic conductive layer; performing one or more subsequent tests on said smart-card chip arrangement in order to reassess the value of said key; comparing said reassessed key-value with said initial key-value, and, if said reassessed key-value differs from said initial key-value, providing to said chip a signal indicative of said tampering.
Either of these methods may include the further step of using said tampering-indicative signal to prevent the reading of said cryptographic key.
The initial value of the key may be established from a combination of a parameter, which is dependent on said determined properties, and a predetermined pre-key component. The parameter may be a response time of said organic conductive layer to an input signal applied to said organic conductive layer.
Embodiments of the invention will now be described in detail purely by way of example, with the aid of the attached drawings, of which:
a) and 9(b) provide top and side views, respectively, of a smart-card chip arrangement in accordance with a still further variant thereof;
a) and 11(b) are top views of a fifth embodiment of a smart-card chip arrangement in accordance with the invention; and
a), 12(b) and 12(c) are top views of a sixth embodiment of a smart-card chip arrangement in accordance with the invention;
The smart-card arrangement proposed by the present inventors is based on the use of an organic conductive protection layer, which may be composed of a conductor or a semiconductor material and is preferably disposed in a grid pattern, as are the known metallic protection layers. Organic materials are damaged by all of the depackaging techniques that are currently employed and can therefore provide excellent protection against tampering. Furthermore, a preferred embodiment of the invention deposits the organic protection layer as a back-end process—that is, the structure is made after the chip has been fabricated. This means that a standard smart-card chip can be obtained and the organic protection layer deposited on a surface of this standard chip. Since therefore minimal changes have to be made to the chip itself, costs are reduced.
Furthermore, by using inkjet or similar deposition or patterning techniques, it is possible to dynamically vary the structure of the protection layer (grid) without significantly increasing fabrication costs, since it is not necessary to use lithography masks. Individual chips of the same fabrication run can be structured differently, which has the advantage of making reverse-engineering and spoofing (the mimicking of protection-grid behaviour by an attacker) much more difficult. This flexibility is not available when using metal protection grids.
A wealth of organic materials are known, which are suitable for use as the protection layer. The most commonly used materials for this function are PEDOT (poly(3,4-ethylenedioxythiophene)), which is a conductive polymer material usually doped with PSS (poly(stryenesulfonate)), and F8T2 (poly(9,9-dioctylfluorenyl-2,7-dyl)-co-bithiophene)) or P3HT (poly(3-Hexylthiophene)), both of which are semiconducting materials. All three of these materials are readily deposited by inkjet techniques and are therefore particularly suitable for use in the present invention. A further material, pentacene, is a semiconducting molecular material, which is usually deposited by thermal evaporation under vacuum conditions. It is also possible to deposit liquid precursors and subsequently anneal the precursors to form pure pentacene. This material may also be used for the semiconducting structures of the protection layer. In addition, PVP (poly(4-vinylphenol)) is an insulating polymer that can be used as a topography-forming layer or as an interfacial insulator or a passivation layer. The use of such layers is discussed later.
The above list of materials is by no means exhaustive, there being others that may equally well be used in the present application.
It is preferred that the organic protection layer be combined with an outer layer (e.g. a resin) to form a packaging layer enclosing the overall device (e.g. a smart card), such that, when the packaging layer is damaged during a tampering process or an invasive attack, the organic material is destroyed or degrades to such an extent that the process or attack is detected electronically.
In general, to provide good protection, the protection layer must be sure to be damaged in an attack and its integrity must be easily verifiable. Ideally also, any signalling that takes place must be difficult to mimic by an attacker. The protection layers provided by the various embodiments of the present invention attempt to meet these criteria.
A first embodiment of a smart-card chip arrangement in accordance with the invention is illustrated in
In this embodiment the layer is used as an RC (resistor-capacitor) delay line and the control circuitry feeds a pulse into one end of the delay line and measures the time it takes for the pulse to reach the other end. An alarm is triggered if the response time changes. Such a change in response time could result from a tampering attempt, which alters the electrical properties of the layer, and thereby the delay time. A block diagram of this control arrangement is shown in
A second embodiment of the invention is depicted in
The detector 32 in
A third embodiment of the present invention is shown in
To derive the encryption key from the delay time and pre-key bits, the analogue delay time detected by the timer 24 must be digitised. This may be achieved either by counting the number of clock cycles the signal takes to reach a certain threshold at the receiving end of the delay line, or by using a digital-to-analogue converter (DAC). The voltage at the input of the DAC is converted to a digital signal after a fixed time, which is chosen such that it coincides with charging of the receiving node (i.e. when the pulse reaches the far end, and the voltage has not yet reached its steady state). The number of bits constituting the delay time will vary, depending on the achievable accuracy. To increase accuracy, it may be necessary to compensate for environmental conditions such as ambient temperature. Depending on the materials employed, the conductivity of the protection layer will vary—usually the conductivity increases with temperature. The capacitance, however, will remain fixed, resulting in shorter delay times. Compensation can be simply achieved by providing a temperature sensor on the chip (e.g. a diode—temperature sensors are readily available for CMOS technology) and a lookup table containing the compensation coefficients. For best spread of output key values, a hash function may be used to derive the actual encryption key from both inputs. As is well known, a hash function is a complex function that combines data in such a way that a change in a single value changes the result significantly. It is also a one-way function—i.e. the original values cannot be derived from the result.
The reliability level afforded by this third embodiment is higher than that afforded by either of the first and second embodiments. This is because, whereas the first and second embodiments provide a single-bit test decision only (i.e. an indication of “PASS” or “FAIL”), in the third embodiment the test result forms the cryptographic key. An incorrect cryptographic key results in failure of the smart card device without the need for pass/fail signals and associated circuitry (that could likewise be tampered with).
The mode of operation of the first two embodiments is illustrated in the flowchart of
It is possible that an attacker could successfully unset the afore-mentioned flag, in which case the self-characterization routine will be restarted. In that event, the tampered-with protection layer will be read and its resulting characteristics taken to be the original initial ones, leading to the possibility that the attacker could use the card to withdraw funds, etc. It is under these circumstances that the use of a write-once memory is beneficial, since the new self-characterizing values cannot be written to the memory. Thus the characteristic values of the damaged protection layer will not match the characteristic values stored in memory, leading to a “FAIL” indication, as mentioned earlier.
In all these embodiments, the organic protection layer also provides some degree of shielding for the various signals arising from the operation of the smart-card chip. This is important if the risk of attack is to be reduced. The effectiveness of this shielding will dependent to some extent on how large the gaps are in the grid structure of the layer. The protection layer will carry its own signals, of course, which can escape to the outside. It is envisaged that additional protective measures, such as the provision of one or more dedicated shielding layers, may be provided in order to mitigate this drawback.
A refinement of the embodiments just described will now be explained with the aid of
A further refinement involves the addition of a further layer, which enhances the damage done to the protection layer. An example of this is shown in
A particularly advantageous variant of the embodiments so far described involves the use of multiple organic protection layers on the same chip.
For the sake of completeness,
The use of at least two separate protection layers allows the use of a fourth embodiment of the invention, which is illustrated in
The processor circuit 86 compares the characteristics of the two layers, so that any significant relative change in characteristics is taken to indicate the occurrence of an attack. The initial testing phase of this embodiment will assess the “correct” (i.e. “untampered”) time-delay difference between the two layers and place that in the memory 84 as the reference value. In subsequent tests, in the event that no tampering or 20 attack has taken place, the difference in time delays will remain unaltered, providing a “PASS” decision at the output of the processor circuit 86. On the other hand, where one of the layers has been tampered with, the delays will be appreciably different, providing a “FAIL” decision at the processor-circuit output. It may be possible, by strict control of the deposition conditions of the two organic layers, for the electrical characteristics—and hence the time delay—of the two layers to be almost identical. In that case, the reference value in the memory 84 will be ideally zero or, more realistically, a narrow spread of values in view of the small finite difference in the characteristics of the two layers. Any difference value outside the reference value will result in a “FAIL” signal at the output of the processor circuit 86, otherwise a “PASS” indication is given. Instead of a zero time delay, other reference values may be stored in the memory 84. Two possibilities are a fixed ratio of delays or a fixed absolute time-delay difference.
This embodiment assumes that an attack will affect the outer layer (see RC network 72) in preference to the inner layer (see RC network 70), so that a difference between their characteristics does arise. If an attack took place while the smart-card was powered up, it would be easy to detect a relative change in the characteristics of the two layers, provided sampling of the inner layer took place sufficiently quickly after the sampling of the outer layer—i.e. during the time in which the attack was taking place. However, an attack is far more likely to occur with the card not powered up. In that case, the present invention envisages the detection of not only relative changes between the layers, but also of absolute changes—for example, by using as an additional reference value an absolute value of delay. Thus, although, if both layers were roughly equally affected by an attack, a sufficiently great relative change might not be detected, it is very likely that the delay times of both layers will have increased beyond the absolute maximum reference-time value. This would be detected and the necessary protection provided.
An advantage of the fourth embodiment is that the differential configuration cancels out the effect of parasitic environmental influences, e.g. temperature variations or fluctuations in the chip supply voltage.
As an alternative to configuring the differential arrangement of
One possible way of configuring two or more different protection layers side-by-side on the same chip is shown in
If all sections are used, one method is to compare different pairs of sections with each other. Thus, the characteristics of sections 102 and 104 could be compared with each other against a reference value, as could also the characteristics of sections 106 and 108. Then either the two results of these comparisons could be used separately as a kind of backup indication of card integrity, or they themselves could be compared with each other to yield a single comparison result, which is used to determine card integrity. When all of the sections are compared with each other directly to yield a single comparison result, one possibility is to form an average characteristic value for the four different sections, and to then compare this value with a single reference value.
In
In the
A further kind of pattern, which may be employed, is shown in
A two-layer version of this arrangement is illustrated in
With the arrangement just described, any short-circuit between the layers will halve the effective electrical length of the spiral pattern and be detectable using only two connection pads, as shown.
Both the single-layer spiral pattern and the two-layer spiral pattern have the drawback that they contain spaces between the track sections, which an attacker could exploit in order to gain access to the cryptographic key of the chip. With the single-layer case, a solution analogous to that shown in
Although it has been assumed that the organic protection layer will be applied to the chip surface as a grid pattern by an inkjet technique, it may be applied by other means—for example, screen printing, micro-contact printing or, in the case of Pentacene, vacuum deposition. The screen printing technique is described in, e.g. “Screen-printed passive matrix displays based on light-emitting polymers”, J. Birnstock et al, Applied Physics Letters, volume 78 number 24, 2001, pages 3905-3907, while micro-contact printing is described in J. Tate, et. al., “Anodization and Microcontact Printing on Electroless Silver: Solution-Based Fabrication Procedures for Low-Voltage Electronic Systems with Organic Active Components”, Langmuir, volume 16, number 14, 2000, pages 6054-6060. Furthermore, it may take the form of a continuous layer over the relevant parts of the chip surface, rather than a grid. In this case, an attack which damages part of this continuous layer will still affect the properties of the layer, so that the key may be protected. However, in comparison with a grid the sensitivity of such a layer may be less than ideal. In practice, therefore, some form of grid pattern is to be preferred.
While the electrical characteristics of the protection layer have, as so far described, been determined based on an RC time constant or the I-V transfer function, an alternative is to derive the layer's characteristics on the basis of the metal-organic interface properties. The electrical contact properties are determined by the microstructure (deposition conditions) of the organic material. For a combination of materials, a Schottky barrier is formed between the metal and organic material. This results in diode-like contact properties, with the height of the Schottky barrier varying with the materials being combined. The electrical properties (contact resistance, contact noise) of contacts between dissimilar materials are usually very sensitive to fabrication conditions and contamination, hence they are a promising candidate for both tamper sensing and providing individual characteristics for each chip. It was shown, for example by Lim et al. (Jung Ah Lim et. al., “Solvent effect of inkjet printed source/drain electrodes on electrical properties of polymer thin-film transistors,” Applied Physics Letters, volume 88 No. 8, 2006), that an addition of DMSO (Di-methyl-sulf-oxide) to a PEDOT/PSS solution reduces the contact resistance/Schottky barrier.
The smart-card chip arrangement described in this specification has a number of advantages with respect to the conventional arrangements employing metal protection grids. Firstly, use of an organic protection layer allows a large number of suitable grid structures to be employed, even within the same production batch, which can help to protect against spoofing. Secondly, because this layer is disposed on top of the outer layer of the chip, it is more exposed to tampering and hence, if it is tampered with, this can lead to shut-down of the card's services before the cryptographic key has been accessed. Thirdly, compared with a method such as Kömmerling's, as described in the afore-cited patent, no sensor structure is required on the chip. This simplifies fabrication and minimizes added complexity.
Possible applications for the smart-card chip arrangement according to the present invention are, as already mentioned, smart cards for authorizing bank transactions, but also copy-protection devices, game cartridges, inkjet or laser printer cartridges, RFID tags, pay-TV decoder cards, phone cards, etc. All of these applications, and others not specifically mentioned here, are intended to come under the term “smart-card chip arrangement” used in this specification.
Number | Date | Country | Kind |
---|---|---|---|
0717783.5 | Sep 2007 | GB | national |