DE102005063482B4 - Data transmission device for use in data processing device, has interface performing preventive measure against transferring of data from that interface to other interface, if decoding data stream does not correspond to expected data stream - Google Patents

Data transmission device for use in data processing device, has interface performing preventive measure against transferring of data from that interface to other interface, if decoding data stream does not correspond to expected data stream

Info

Publication number
DE102005063482B4
DE102005063482B4 DE200510063482 DE102005063482A DE102005063482B4 DE 102005063482 B4 DE102005063482 B4 DE 102005063482B4 DE 200510063482 DE200510063482 DE 200510063482 DE 102005063482 A DE102005063482 A DE 102005063482A DE 102005063482 B4 DE102005063482 B4 DE 102005063482B4
Authority
DE
Germany
Prior art keywords
data
encryption
data stream
initial value
decryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
DE200510063482
Other languages
German (de)
Inventor
Berndt Gammel
Dietmar Schreiblhofer
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Infineon Technologies AG
Original Assignee
Infineon Technologies AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Infineon Technologies AG filed Critical Infineon Technologies AG
Priority to DE200510063482 priority Critical patent/DE102005063482B4/en
Priority claimed from DE200510013830 external-priority patent/DE102005013830B4/en
Application granted granted Critical
Publication of DE102005063482B4 publication Critical patent/DE102005063482B4/en
Application status is Active legal-status Critical
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communication the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • HELECTRICITY
    • H01BASIC ELECTRIC ELEMENTS
    • H01LSEMICONDUCTOR DEVICES; ELECTRIC SOLID STATE DEVICES NOT OTHERWISE PROVIDED FOR
    • H01L2225/00Details relating to assemblies covered by the group H01L25/00 but not provided for in its subgroups
    • H01L2225/03All the devices being of a type provided for in the same subgroup of groups H01L27/00 - H01L51/00
    • H01L2225/04All the devices being of a type provided for in the same subgroup of groups H01L27/00 - H01L51/00 the devices not having separate containers
    • H01L2225/065All the devices being of a type provided for in the same subgroup of groups H01L27/00 - H01L51/00 the devices not having separate containers the devices being of a type provided for in group H01L27/00
    • H01L2225/06503Stacked arrangements of devices
    • H01L2225/06555Geometry of the stack, e.g. form of the devices, geometry to facilitate stacking
    • H01L2225/06568Geometry of the stack, e.g. form of the devices, geometry to facilitate stacking the devices decreasing in size, e.g. pyramidical stack
    • HELECTRICITY
    • H01BASIC ELECTRIC ELEMENTS
    • H01LSEMICONDUCTOR DEVICES; ELECTRIC SOLID STATE DEVICES NOT OTHERWISE PROVIDED FOR
    • H01L25/00Assemblies consisting of a plurality of individual semiconductor or other solid state devices ; Multistep manufacturing processes thereof
    • H01L25/03Assemblies consisting of a plurality of individual semiconductor or other solid state devices ; Multistep manufacturing processes thereof all the devices being of a type provided for in the same subgroup of groups H01L27/00 - H01L51/00, e.g. assemblies of rectifier diodes
    • H01L25/04Assemblies consisting of a plurality of individual semiconductor or other solid state devices ; Multistep manufacturing processes thereof all the devices being of a type provided for in the same subgroup of groups H01L27/00 - H01L51/00, e.g. assemblies of rectifier diodes the devices not having separate containers
    • H01L25/065Assemblies consisting of a plurality of individual semiconductor or other solid state devices ; Multistep manufacturing processes thereof all the devices being of a type provided for in the same subgroup of groups H01L27/00 - H01L51/00, e.g. assemblies of rectifier diodes the devices not having separate containers the devices being of a type provided for in group H01L27/00
    • H01L25/0657Stacked arrangements of devices
    • HELECTRICITY
    • H01BASIC ELECTRIC ELEMENTS
    • H01LSEMICONDUCTOR DEVICES; ELECTRIC SOLID STATE DEVICES NOT OTHERWISE PROVIDED FOR
    • H01L2924/00Indexing scheme for arrangements or methods for connecting or disconnecting semiconductor or solid-state bodies as covered by H01L24/00
    • H01L2924/0001Technical content checked by a classifier
    • H01L2924/0002Not covered by any one of groups H01L24/00, H01L24/00 and H01L2224/00

Abstract

The device has a data transfer interface (104a) to receive an encoding data stream using encoding initial value. Another interface (104b) produces a decoding data stream from the encoding data stream using a decoding initial value. The interface (104b) performs a preventive measure against transferring of data from the interface (104b) to the interface (104a), if the decoding data stream does not correspond to an expected data stream. Independent claims are also included for the following: (1) a method for operating a device for coded transmission of data between two semiconductor chips (2) a computer program with a program code for execution of a method for coded transmission of data between two semiconductor chips.

Description

  • The present invention relates to the technical field of cryptography, and more particularly, the present invention relates to the technical field of cryptographic assurance of data exchange of two semiconductor chips.
  • Because of the significant increase in complexity of modern algorithms or circuits, often the area available on a single semiconductor chip is no longer sufficient to ensure a compact integrated circuit and thus a short line length in this circuit rapid processing of such complex algorithms on the individual semiconductor chip. In order to counteract this problem, two chips are often connected to one another in the prior art, as is the case, for example, in US Pat 2 is shown. For this purpose, for example, an upper chip 200 with a lower chip 202 connected such that a first pad 204 the upper chip of a second pad 206 of the lower chip 202 opposite and thus a contact from the upper chip 200 to the bottom chip 202 via corresponding contact points 208 is possible. However, such a division of the processing of an algorithm or a division of a corresponding security controller into two chips entails additional security risks and requires security measures against emerging attack scenarios. Are these two chips in the so-called face-to-face technology (F2F technology = face-to-face technology = contact surface to contact surface technology) interconnected and can be assumed that it is technically possible only under extreme effort To separate the two chips without destroying at least one of the chips, then simple security measures are possible to prevent the spying of data from the one still functioning chip. Such simple security measures against the spying of data of a still functioning chip are known to a person skilled in the art. However, recent findings have shown that the chips, for example by selective etching, but can be separated by reasonable effort, so that both chips still work individually. A potential attacker thus has the opportunity to reconnect both chips through lines and the communication between the two chips (for example, between the top chip 200 and the bottom chip 202 over the contact points 208
    • a) listen and
    • b) to manipulate communication as well (for example through a "man-in-the-middle" attack).
  • The DE 101 62 310 A1 and the DE 197 82 075 C2 describe approaches to secure transmission of data between second functional units by encrypting the data, the keys being stored in the respective functional units during manufacture.
  • The present invention has for its object to provide an improved way to transfer data tapping and tamper-proof between two semiconductor chips, attacks can be safely detected and fended off.
  • This object is achieved by a device according to claim 1, a method according to claim 22.
  • The present invention provides a device for the encrypted transmission of data between two semiconductor chips of a data processing device, wherein a first semiconductor chip is connected to a second semiconductor chip and wherein the device has the following features:
    a non-volatile memory element in each of the two semiconductor chips,
    wherein an encryption initial value for an encryption instruction is stored in the memory element of the first semiconductor chip and in the memory element of the second semiconductor chip a decryption initial value assigned to the encryption initial value is stored for a decryption instruction assigned to the encryption instruction,
    the first semiconductor chip having a first data transmission interface configured to generate an encryption data stream from an input data stream using the encryption initial value according to the encryption policy;
    the second semiconductor chip having a second communication interface configured to receive the encryption data stream and to generate a decryption data stream from the encryption data stream using the decryption initial value in accordance with the decryption policy and to compare the generated decryption data stream with an expected data stream;
    wherein the second communications interface is further configured to perform a defensive measure against transmitting data from the second communications interface to the first communications interface when the decryption data stream does not correspond to the expected data stream,
    wherein the second semiconductor chip comprises a functional unit having a third data transmission interface, a controller having a fourth data transmission interface, and a bus including the first, second, third, and fourth Data transfer interface connects, wherein the functional unit is designed to receive the decryption initial value from the memory element of the second semiconductor chip via the bus in the second semiconductor chip, and
    wherein the second semiconductor chip is configured to suppress transmission of the decryption initial value to the first semiconductor chip upon transmission of the decryption initial value from the memory element of the second semiconductor chip to the functional unit.
  • Furthermore, the present invention provides a method for operating a device for the encrypted transmission of data between two semiconductor chips of a data processing device,
    wherein the encrypted transmission device comprises a non-volatile memory element in each of the two semiconductor chips,
    wherein an encryption initial value for an encryption instruction is stored in the memory element of the first semiconductor chip, and a decryption initial value of a decryption instruction assigned to the encryption instruction is stored in the memory element of the second semiconductor chip,
    the first semiconductor chip having a first data transmission interface configured to generate an encryption data stream from an input data stream using the encryption initial value according to the encryption policy;
    the second semiconductor chip having a second communication interface configured to receive the encryption data stream and to extract a decryption data stream from the encryption data stream using the decryption initial value in accordance with the decryption policy and to compare the determined decryption data stream to an expected data stream;
    wherein the second communications interface is further configured to take a defensive measure against transmitting data from the second communications interface to the first communications interface when the decrypting data stream does not correspond to an expected data stream,
    wherein the second semiconductor chip comprises a functional unit having a third data transmission interface, a controller having a fourth data transmission interface and a bus connecting the first, second, third and fourth data transmission interfaces, and
    the method comprising the steps of:
    Encrypting data of the input data stream in the first data transmission interface using the encryption initial value according to the encryption policy to generate the encryption data stream;
    Transmitting the encryption data stream from the first communication interface to the second communication interface;
    Decrypting the encryption data stream in the second communication interface using the decryption initial value in accordance with the decryption policy to determine the decryption data stream;
    Taking a defensive measure against transmission of data from the second communication interface to the first communication interface when the decryption data stream does not correspond to an expected data stream; and
    Transmitting the decryption initial value via the bus in the second semiconductor chip from the memory element of the second semiconductor chip to the functional unit, wherein upon transmission of the decryption initial value from the memory element of the second semiconductor chip to the functional unit, transmission of the decryption initial value to the first semiconductor chip is suppressed.
  • The present invention is based on the recognition that a tapping and manipulation-proof data transmission between two semiconductor chips is possible in that in the first data transmission interface the input data stream is scrambled with the data to be transmitted according to a scrambler rule (ie scrambled or scrambled and / or encrypted, wherein scrambling in a general form may also be referred to as encrypting) so that the first data transmission interface located in the first semiconductor chip outputs a scrambler data stream. This scrambler data stream may then be received and "unpacked" by the second communication interface in the second semiconductor chip (ie, scrambling and / or encryption performed in the first communication interface is undone; accordingly, descrambling in a general form may be referred to as decrypting be) from which the (original) input data stream can be determined with the data to be transmitted. For this "unpacking", a descrambler rule assigned to the scrambler rule is used. An essential aspect of the invention is the device according to the invention for the authenticated transmission of data in that a scrambler initial value is used both for the scrambler in the first data transmission interface and for the descrambler in the second data transmission interface a descrambler initial value is used by the scrambler Initial value assigned by, for example, a scrambler in the first communication interface and a descrambler in the second communication interface is initialized. The scrambler initial value is stored both in a non-volatile memory in the first semiconductor chip, wherein the descrambler initial value is stored in a non-volatile memory of the second semiconductor chip. This makes it possible to store the scrambler and descrambler initial value already in such a two-chip connection in each of the two chips, so that only with knowledge of the correct (ie respectively assigned) Scrambler or Descrambler initial value a meaningful Evaluation of the transmitted data between the two semiconductor chips is possible. However, if such a mutually matching initial value is already stored in each of the two semiconductor chips when the two semiconductor chips are manufactured, it is therefore possible with clever choice of the initial value that only the two semiconductor chips equipped with respective assigned initial values can exchange data with one another in a secure manner. As a defense measure against transmission of data from the second data transmission interface in the first data transmission interface come approaches such as a powerless switching of the second semiconductor chip, a complete inhibiting the exchange of data between the two semiconductor chips or even an output of random numbers or pseudo-random numbers to one confuse possible attacker. However, these examples of defensive measures to be performed are merely enumerated by way of example and can be replaced and / or supplemented by any further approaches known to a person skilled in the art to ward off unauthorized interception of a communication.
  • The present invention offers the advantage of providing a possibility for tapping and tamper-proof data communication between two semiconductor chips, so that interception of the communication between the two chips is very difficult and furthermore a manipulation of the communication, for example by a man-in-hand. the-middle attack, versus a direct, d. H. open communication between the two semiconductor chips is significantly more difficult. Furthermore, the present invention has the advantage that the use of an initial value-based scrambler or descrambler a numerically or circuitry simple, but at the same time compared to a conventional "open" communication significantly higher security of data exchange is possible.
  • It is also advantageous if the first data transmission interface is designed to generate the scrambler data stream in order to link data of the input data stream with auxiliary data and wherein the second data transmission interface is designed to determine the input data stream in order to link data of the scrambler data stream with further auxiliary data, wherein the auxiliary data and the further auxiliary data are in a predetermined relationship to each other. This offers the advantage of not just scrambling. Ie. temporal re-sorting of the data to be transmitted, but to ensure a significant increase in the security of data transmission by linking with auxiliary data or other auxiliary data.
  • The auxiliary data or the further auxiliary data may also comprise random numbers, pseudorandom numbers or a cryptographic key. This offers the possibility of being able to provide such auxiliary numbers by circuit-wise or numerically simple way. The use of a cryptographic key also offers the possibility of allowing a previously calculated data sequence as a cryptographic key to further reduce the circuitry or numerical complexity, without suffering a loss in terms of the security of the data transmission.
  • Furthermore, the first data transmission interface may also comprise a generator for generating the auxiliary data and the second data transmission interface may comprise a generator for generating the further auxiliary data, wherein a start setting of the generator of the first data transmission interface by the scrambler initial value and a start setting of the generator by the descrambler initial value second data transmission interface is defined. Such an embodiment of the device according to the invention offers the advantage that this makes possible a simple implementation of the use of the scrambler initial value or the descrambler initial value, without having to carry out a numerically or circuitry-consuming arithmetic operation with the corresponding initial values.
  • According to another embodiment of the present invention, the generators may comprise a current encryption unit with shift registers (s) (or LFSRs). Such trained generators can be implemented by standardized circuit elements very easy.
  • In a favorable embodiment of the present invention, the first data transmission interface and the second data transmission interface may be configured to combine the data of the input data stream with the auxiliary data and to associate the data of the scrambler data stream with the further auxiliary data on the basis of an EXCLUSIVE ORing rule perform. Such an EXCLUSIVE-OR operation offers the advantage of a very simple implementation.
  • Furthermore, the scrambler initial value and the descrambler initial value can also be identical. This then offers the advantage that the procedure of storing the initial values can be simplified. In scramblers and descramblers of the same structure, identical scrambler initial values and descrambler initial values are used, which results in cost-effective production possibilities of the device for authenticated transmission, for example by reuse of a mask for semiconductor chips in the presence of structurally identical scramblers and descramblers.
  • The first semiconductor chip or the second semiconductor chip may also comprise a device for generating the scrambler initial value and the descrambler initial value, wherein the device for generating is designed to store the scrambler initial value into the memory element of the first semiconductor chip and the descrambler in a personalization phase Initial value to be stored in the memory element of the second semiconductor chip. This offers the advantage that the scrambler initialization value and the descrambler initialization value have not been externally generated by an algorithm and stored in the corresponding chip, but the corresponding initial values are generated directly in the device for the purpose of authenticating itself. This therefore offers a significant gain in additional security against a "discovery" of the scrambler initial value and the descrambler initial value.
  • In another embodiment of the present invention, the first communication interface may further be configured to use an overhead number for generating the scrambler data stream, and wherein the second communication interface may be further configured to perform for determining the input data stream based on the overhead , where the additional number is a random number or a pseudo-random number. By taking into account such an additional number in the case of authenticated transmission of data between two semiconductor chips, the security of the data transmission can thus be further increased, since not only the knowledge of the scrambler and descrambler rule is necessary, but additionally the additional number has to be considered.
  • Furthermore, the nonvolatile memory element of the first semiconductor chip and the nonvolatile memory element of the second semiconductor chip may be ROM (read only memory), FROM (factory = variable ROM) Read only memory), PROM (programmable read only memory), EPROM (EPROM) or an electronically switchable fuse. As a result, the initial values can be stored in a simple and cost-effective manner.
  • In a further embodiment, the second semiconductor chip may further comprise a third data transmission interface having a volatile memory element and a controller, wherein the third data transmission interface may be configured to receive the scrambler data stream and extract it from the scrambler data stream using the descrambler initial value according to Descrambler rule to determine the input data stream and wherein the control means may be configured to read the descrambler initial value from the non-volatile memory element of the second semiconductor chip and to transmit this to the volatile memory element of the third data transmission interface. Such a configuration offers the advantage that further functional elements can be used in the second semiconductor chip with volatile (in particular freely programmable) memories which can be configured as a descrambler as required for the function. Thus, for example, a dynamic configuration of the available computing power can take place, which can contribute to a further flexibilization and a further acceleration of the execution of a complex algorithm.
  • Furthermore, the first data transmission interface, the second data transmission interface, the third data transmission interface and the control device can also be connected to one another by means of a data bus, wherein the control device can be configured to read out the descrambler initial value from the nonvolatile memory element of the second semiconductor chip and to store it the descrambler initial value into the volatile memory element of the third data transmission interface using the data bus, and wherein the control device may further be configured to transmit the descrambler initial value to the first data transmission interface when transmitting the descrambler initial value to the volatile memory element of the third data transmission interface prevent. This makes it possible to ensure that the descrambler initial value can not be read from the second semiconductor chip or recognized in any other way, whereby the high security of the authenticated data transmission can be maintained even when using freely configurable functional elements.
  • Also, in the nonvolatile memory element of the second semiconductor chip, the scrambler initial value and in the nonvolatile memory element may further be used Furthermore, the second data transmission interface may be configured to generate another scrambler from a further input data stream using the scrambler initial value stored in the non-volatile memory element of the second semiconductor chip in accordance with the scrambler rule. Generate data stream and wherein the first data transmission interface can be configured to receive the further scrambler data stream and from the further scrambler data stream using the stored in the non-volatile memory element of the first semiconductor chip descrambler initial value according to the Descrambler rule the other To determine input data stream. This offers the advantage that a bi-directional authenticated data transmission is possible, which has an advantageous effect on a flexible distribution of an algorithm to be processed on the two semiconductor chips.
  • A preferred embodiment is explained below with reference to the accompanying drawings. Show it:
  • 1 a block diagram of an embodiment of the present invention; and
  • 2 a two-chip connection, as in the prior art.
  • In the figures, the same or similar elements are denoted by the same or similar reference numerals, wherein a repeated description of these reference numerals is omitted.
  • The 1 shows a block diagram of an embodiment of the device according to the invention. In the 1 The device shown here comprises several functional blocks 100a to 100c which can be arranged in different semiconductor chips. Through the dashed line 102 this is in 1 a division of the assignment of the function blocks 100a to 100c marked on the upper chip or the lower chip, so that the function block 100a according to 1 in the upper chip (ie, for example, in the in 2 represented chip 200 ) and the functional blocks 100b and 100c in the lower chip (ie in 2 in the lower chip 202 ) are arranged. Each of the three functional units 100a to 100c includes a communication interface 104a to 104c each a scrambler 106 with a power encryption unit 108 includes. Furthermore, each of the three functional units 100a to 100c a non-volatile memory 110 (NVM = nonvolatile memory) in which the scrambler initial value or the descrambler initial value is stored accordingly. The first data transmission device 104a is with the second data transmission device 104b and the further data transmission device 104c connected via a data bus XBUS, wherein between the first data transmission interface 104a and the second and further data transmission interface 104b and 104c a data suppression device 112 (Data suppressor) is inserted. The data selection device 112 is over a switch 114 controllable, the switch 114 with an address decoder 116 and a control input 118 connected is. In order to be able to transmit data via the data bus XBUS, the further data transmission interface 104c as the controller (or XBus Master XBM) while the first communication interface 104a and the second communication interface 104b as of the acting as a control device further data transmission interface 104c dependent data transmission interface (or XBus slaves XBS) act. Furthermore, a random number generator may be used which outputs a random signal (in the form of a random number or a random bit) corresponding to each of the LSFRs 108 the individual data transmission interfaces 104a to 104c is supplied.
  • The operation of such a device for transferring data between two semiconductor chips, as shown in 1 can be described as follows. First, in making such a two-chip connection, a scrambler initial value is in the non-volatile memory 110 of the first semiconductor chip (ie, for example, in the first functional block 100a ), whereas in the non-volatile memory 110 of the second semiconductor chip 202 (ie, for example, in the second function block 100b ) a corresponding, the scrambler initial value assigned Descrambler initial value is to be stored.
  • If a device produced in this way for transferring data between two semiconductor chips is used, for example, one in the first functional block 100a performed algorithm provide data in a data stream, which for further processing to an algorithm or an algorithm part in the second function block 100b is to be transferred. For this purpose, this data stream of the first data transmission interface 104a supplied using the scrambler as the encryption unit 106 and the scrambler initial value stored in non-volatile memory 110 of the first semiconductor chip 200 stored, generates a scrambler data stream or an encryption data stream. For this purpose, for example, the data of the data stream can be resorted in their temporal order or sequence, or alternatively or additionally, the data of the data stream can be linked to auxiliary data (for example, to encrypt the data of the data stream). This link can for example, as an EXCLUSIVE-OR operation by means of an EXOR gate (EXOR = EXCLUSIVE-OR); However, it is also possible to use another cryptographic link with a cryptographic key, such as a cryptographic stream cipher or a block cipher based on a non-linear stream encryption unit bundle. The auxiliary data can be random numbers, pseudorandom numbers or a cryptographic key. Pseudo-random numbers in this context are understood to mean a sequence of numbers which can be generated by an algorithm which outputs individual numbers with a certain frequency, regardless of where these numbers stand in a stream of numbers output by the algorithm. Alternatively, however, a special predefined arrangement of numbers or bits (for example a special cryptographic key) can also be used for these auxiliary numbers.
  • The data of the scrambler data stream may then be from the first communication interface 104a from the upper chip 200 via the contact connections 208 to the bottom chip 202 , in particular via the data suppressor 112 to the second communication interface 104b in the second semiconductor chip 202 be transmitted. The second communication interface 104b can using the scrambler 106 (the Indian 1 may also perform the function of a descrambler or decryption unit and is referred to as a scrambler for illustrative purposes only) and that in the non-volatile memory 110 of the second semiconductor chip 202 stored descrambler initial value from the scrambler data stream to reconstruct the input data stream or the data of the input data stream. Of central importance here is that in the first function block 100a used scrambler rule of the scrambler 106 also in the second function block 100b is known (or implicitly known by the scrambler rule associated with the descrambler rule) whereby a Rückermittlung that of the first data transmission interface 104a emitted scrambler data stream is possible. For this it is also necessary that the non-volatile memory 110 of the first semiconductor chip 200 (upper chip) stored scrambler initial value is in a predetermined relationship to the descrambler initial value stored in the non-volatile memory 110 of the second semiconductor chip 202 (lower chip) is stored. Would a potential attacker now separate the two chips and via the contact connections 208 Having access to the data communication between the two chips would be necessary to evaluate the data transfer between the two semiconductor chips, the knowledge of the scrambler or Descrambler rule and the knowledge of the Scrambler and Descrambler initial value. With a suitable choice of a scrambler or descrambler rule and a favorable initial scrambler and descrambler value (in particular when choosing a scrambler or descrambler initial value from a large number of possible initial values), it is thus possible to oppose an unprotected transmission between the two Both chips realize a significant increase in the security of such data transmission. As noted above, scrambling can generally be understood as encryption, in which case the corresponding descrambling is to be understood as decryption.
  • Furthermore, data transmission can also take place in the opposite direction (ie starting from the second data transmission interface 104b via the data bus XBUS, the data suppressor 112 and the contact point 108 to the first communication interface 104a ). In this case, the functionalities of the scrambler or descrambler described above would be exactly reversed, ie in non-volatile memory 110 of the second semiconductor chip 202 if the scrambler initial value were stored, the scrambler 106 the second functional unit 104b would execute the scrambler rule, the scrambler 106 in the first functional unit 104a would execute the corresponding descrambler rule while in non-volatile memory 110 of the first semiconductor chip 200 the descrambler initial value is stored. For this, make sure that as a scrambler 106 designated functional units can perform both the scrambler rule and the descrambler rule, but this is usually no problem in today's data processing systems and such reconfiguration is known to a person skilled in the art.
  • In order to further increase the security of such a data transmission between two semiconductor chips, a random number generator RNG can also be used. This random number generator RNG generates random numbers Reseed (or random bits) which are fed to each connected LSFR. These random numbers generated by the random number generator RNG then serve to take into account, at certain times, the random number or the random bit in the execution of the scrambler or descrambler rule according to a predefined consideration rule. As a result of this random bit all LSFRs involved in the data transmission 108 is accessible, an effect of the random number or the random bit on the scrambler data stream with knowledge of the scrambler or descrambler rule and the consideration rule can be detected in any case, since both the value and the time of the considered random number or the considered Random bits are then known.
  • If, for example, an additional functional unit is used on-chip (which is not technically problematic in terms of safety) to support or speed up the execution of the algorithm to be executed, it is necessary for the further functional unit (which in FIG 1 not shown) on the secure data transmission between the first semiconductor chip 200 and the second semiconductor chip 202 can participate. For this purpose, for example, the descrambler initial value from the non-volatile memory 110 of the second semiconductor chip 202 be read and transferred to the other, not shown, function block. To do this, for example, the third function block 100c with the further data transmission interface 104c , which is designed as an XBus master, a query of the descrambler initial values from the non-volatile memory 110 of the second semiconductor chip 202 cause and transmit the read descrambler initial value via the data bus XBus to the further functional block, which has the third data transmission interface, which is analogous to the first and second data transmission interface 104a and 104b is established (ie also acts as XBus slave).
  • In such a transfer of the descrambler initial value, however, it must be ensured that the descrambler initial value is not external to the second semiconductor chip 202 is accessible, ie not via the contact connection 208 is transmitted. For this, the data suppressor 112 be used, which is over the switch 114 is controllable. For example, from the address decoder 116 AD the readout signal of the further data transmission interface 104c detected, external access to the XBus from the contact terminals 208 be suppressed so that the descrambler initial value is not outside the second semiconductor chip 202 can be read. Here, for example, on the connection 118 an enable signal can be applied, depending on the state of the data suppressor 112 the data transmission to the first data transmission interface (or vice versa) suppressed, so that, for example, via the port 118 an error signal can be evaluated indicating that the two semiconductor chips are separated from each other. An error signal designed in this way would once again increase the security of the data transmission, since in this case also the direct separation of the two semiconductor chips suppresses the data transmission via the connection contacts 208 could lead.
  • A transfer of the descrambler initial value to the first function block 100a in the first semiconductor chip 200 Furthermore, it is also not necessary since a corresponding initial value is already set in a personalization phase (ie factory) and thus the knowledge of an initial value necessary for the secure data transmission already in the first semiconductor chip 200 is available.
  • In summary, it should be noted that the inventive approach provides mutual authentication by means of bus encryption or bus scrambling to accomplish. According to an embodiment of the present invention, data transported over a data bus connecting the two semiconductor chips is scrambled (ie, some or all of the data is changed in temporal order before being transmitted over the data bus and / or with the value of a pseudo Random number generator such as the LFSR EXCLUSIVE-OR-linked). In order to make the sequence of numbers of the LSFR a little more "random", a random bit of the random number generator RNG is "pushed in" from time to time to the LSFR.
  • A communication between the two semiconductor chips as system components is thus possible in particular if they each have a matching (or the same) initial value of the LSFRs and are triggered to the same extent and reset with the random bit of the random number generator RNG.
  • Preferably, the initial value of the LSFRs can be designed to be chip-specific and thus implicitly enable mutual authentication, since an upper chip only correctly "understands" its corresponding lower chip if its function blocks have the same LSFR initial value (ie with a corresponding scrambler and associated scrambler) Descrambler rule and a scrambler initial value and an associated descrambler initial value work).
  • In other words, it may be said that corresponding initial values are used for a scrambling or descrambling for the mutual authentication of two associated semiconductor chips.
  • A concrete application scenario for the device described above can be represented as follows:
    In a first personalization phase, which is still carried out at the factory, ie in a production factory of the semiconductor chips, two semiconductor chips, such as those in FIG 2 illustrated upper chip 200 and the bottom chip 202 personalized, such that, for example, the bottom chip 202 generates a random number (for example by means of a random number generator on the lower chip 202 ) and this random number is unpredictable and / or unknown from outside the chip). Alternatively, a random number can also be generated on an external device, and these are supplied to the two chips. Subsequently, this random number (and possibly a corresponding counterpart) in the non-volatile memory of the upper chip 200 and in the non-volatile memory of the lower chip 202 each stored accordingly. Should, for example, the upper chip 200 Also, if there is no conventional nonvolatile memory such as a ROM, a PROM, an FPROM, an EPROM, or a flash, fuses (ie, electrical wiring irreversibly programmable wiring networks) may be used instead.
  • After such personalization, the actual intended use of such a 2-chip network then takes place, whereby initially the data of the data transfer bus is scrambled with the default initial value (which is, for example, mask-individual). Subsequently, then the core, for example, in 1 through the third function block 100c is shown from the non-volatile memory 110 of the second semiconductor chip 202 The descrambler initial value for the scrambler generated in the personalization 106 (or in this case acts as a descrambler) and send this Descrambler initial value using a send command (broadcast command) to all XBus slaves of the system.
  • However, the read-out initial value must not be transported via the F2F interface. For this purpose, a special decoder, for example, the in 1 represented data suppressors 112 recognize the broadcast command and suppress the associated data transport (ie the transmission of the sent initial value). The XBus slaves of the upper chip 200 thus contain only the broadcast command but not the new initial value. This is not necessary, because during personalization in the non-volatile memory (for example, the eFuses) of the upper chip 200 the chip-individual initial value has been stored; it only remains, therefore, this value from the non-volatile memory 110 of the upper chip 200 to load into the corresponding XBus slaves.
  • With regard to the (pseudo) random number generator, it should be noted that the exemplary LFSR used as a pseudo-random number generator in the future may no longer be secure enough against simple cryptographic attacks. In this case, the LFSR can also be replaced by a cryptographic stream cipher that is based, for example, on a non-linear stream encryption unit.
  • Depending on the circumstances, the method according to the invention for operating a device for the authenticated transmission of data and the method according to the invention for personalizing a device for the authenticated transmission of data in hardware or in software can be implemented. The implementation may be on a digital storage medium, in particular a floppy disk or CD with electronically readable control signals, which may interact with a programmable computer system such that the corresponding method is executed. In general, the invention thus also consists in a computer program product with a program code stored on a machine-readable carrier for carrying out one of the inventive methods when the computer program product runs on a computer. In other words, the invention can thus be realized as a computer program with a program code for carrying out one of the inventive methods when the computer program runs on a computer.
  • LIST OF REFERENCE NUMBERS
  • 100a
    first functional block
    100b
    second function block
    100c
    third functional block
    102
    virtual dividing line between the two semiconductor chips
    104a
    first data transmission interface
    104b
    second data transmission interface
    104c
    central data transmission interface
    106
    scrambler
    108
    Stream encryption unit
    110
    non-volatile memory element (NVM)
    112
    Data oppressors
    114
    switch
    116
    address decoder
    118
    Contact Termination
    XBM
    Master element XBus
    XBS
    Slave element XBus
    XBus
    data transfer bus
    RNG
    Random number generator
    reseed
    Random number; random bits
    200
    upper chip, first semiconductor chip
    202
    lower chip, second semiconductor chip
    204
    first connection surface
    206
    second connection surface
    208
    contact terminals

Claims (23)

  1. Device for the encrypted transmission of data between two semiconductor chips ( 200 . 202 ) of a data processing device, wherein a first semiconductor chip ( 200 ) with a second semiconductor chip ( 202 ) and wherein the device has the following features: a non-volatile memory element ( 110 ) in each of the two semiconductor chips ( 200 . 202 ), wherein in the memory element ( 110 ) of the first semiconductor chip ( 200 ) an encryption initial value is stored for an encryption rule and in the memory element ( 110 ) of the second semiconductor chip ( 202 ) a decryption initial value assigned to the encryption initial value is stored for a decryption instruction assigned to the encryption instruction, wherein the first semiconductor chip ( 200 ) a first communication interface ( 104a ) configured to generate an encryption data stream from an input data stream using the encryption initial value according to the encryption protocol, wherein the second semiconductor chip ( 202 ) a second communication interface ( 104b ) configured to receive the encryption data stream and to generate from the encryption data stream, using the decryption initial value according to the decryption rule, a decryption data stream and to compare the generated decryption data stream with an expected data stream, the second data interface 104b ) is further adapted to provide a defensive measure against transmitting data from the second data transmission interface ( 104b ) to the first communication interface ( 104a ), if the decryption data stream does not correspond to the expected data stream, wherein the second semiconductor chip ( 202 ) a functional unit with a third data transmission interface, a control device ( 100c ) with a fourth data transmission interface ( 104c ) and a bus (XBUS), which is the first ( 104a ), second ( 104b ), third and fourth ( 104c ) Data transmission interface, wherein the functional unit is designed to transmit via the bus (XBUS) in the second semiconductor chip ( 202 ) the decryption initial value from the memory element ( 110 ) of the second semiconductor chip ( 202 ), and wherein the second semiconductor chip ( 202 ) is adapted, in a transmission of the decrypting initial value from the memory element ( 110 ) of the second semiconductor chip ( 202 ) to the functional unit, a transmission of the decryption initial value to the first semiconductor chip ( 200 ) to suppress.
  2. The device of claim 1, wherein the encryption policy is an algorithm for outputting a stream cipher or an algorithm for performing block encryption.
  3. Device according to one of claims 1 or 2, in which the two semiconductor chips ( 200 . 202 ) are arranged such that a first connection surface ( 204 ) of the first semiconductor chip ( 200 ) and a second pad of the second semiconductor chip ( 202 ) are opposite.
  4. An encrypted transmission device according to one of the claims 1 to 3, wherein the first data transmission interface ( 104a ) for generating the encryption data stream to associate data of the input data stream with auxiliary data, and wherein the second data transmission interface ( 104b ) is arranged to determine the decrypting data stream to associate data of the encryption data stream with further auxiliary data, wherein the auxiliary data and the further auxiliary data are in a predetermined relationship to each other.
  5. An encrypted transmission device according to claim 4, wherein said auxiliary data or said further auxiliary data comprises random numbers, pseudorandom numbers or a cryptographic key.
  6. An encrypted transmission device according to claim 5, wherein the first data transmission interface ( 104a ) a generator ( 108 ) for generating the auxiliary data, and the second data transmission interface ( 104b ) a generator ( 108 ) for generating the further auxiliary data, and wherein by the encryption initial value a start setting of the generator of the first data transmission interface ( 104a ) and by the decryption initial value a start setting of the generator of the second data transmission interface ( 104b ) is defined.
  7. An encrypted transmission device according to claim 6, wherein the generators ( 108 ) comprise a stream encryption unit.
  8. An encrypted transmission device according to claim 7, wherein the generators comprise a stream encryption unit comprising linear or non-linear feedback shift registers.
  9. An encrypted transmission device according to any one of claims 4 to 7, wherein the first data transmission interface ( 104a ) and the second communication interface ( 104b ) are adapted to perform the linking of the data of the input data stream with the auxiliary data and the linking of the data of the encryption data stream with the further auxiliary data on the basis of an EXCLUSIVE-ORing rule.
  10. An encrypted transmission apparatus according to any one of claims 1 to 9, wherein the encryption initial value and the decryption initial value are identical.
  11. An encrypted transmission apparatus according to any one of claims 1 to 9, wherein the encryption initial value and the decryption initial value are not identical.
  12. An encrypted transmission device according to any one of claims 1 to 11, wherein the first semiconductor chip ( 200 ) or the second semiconductor chip ( 202 ) comprises means for generating the encryption initial value and the decryption initial value, wherein the means for generating is adapted to store the encryption initial value into the memory element in a personalization phase ( 110 ) of the first semiconductor chip ( 200 ) and the decryption initial value in the memory element ( 110 ) of the second semiconductor chip ( 202 ).
  13. An encrypted transmission device according to any one of claims 1 to 12, wherein the first data transmission interface ( 104a ) is further adapted to use an additional number for the generation of the encryption data stream and in which the second data transmission interface ( 104b ) is further adapted to perform the determination of the decryption data stream on the basis of the additional number, wherein the additional number is a random number or a pseudo-random number.
  14. An encrypted transmission device according to any one of claims 1 to 13, wherein said non-volatile memory element ( 110 ) of the first semiconductor chip ( 200 ) and the non-volatile memory element ( 110 ) of the second semiconductor chip ( 202 ) comprises a ROM, FROM, PROM, EPROM or an electronically switchable fuse.
  15. An encrypted transmission device according to any one of claims 1 to 14, wherein the first and second communication interfaces ( 104a . 104b ) a stream encryption unit ( 108 ) for performing the decryption, which is adapted to determine from the input data stream using the encryption initial value according to the encryption rule the encryption data stream and from the encryption data stream using the decryption initial value according to the decryption rule to determine the decryption data stream, wherein the shift registers are adapted to for encrypting and decrypting a plurality of states to pass through and the control device ( 100c ) is adapted to the shift registers of the first data transmission interface ( 104a ) and the second communication interface ( 104b ) to a defined state.
  16. An encrypted broadcasting apparatus according to claim 15, wherein said third data transmission interface comprises a stream encryption unit for performing said decryption, which is adapted to determine said decrypting data stream from said encryption data stream using said decryption initial value according to said decryption rule, said streaming encryption unit of said third communication interface being adapted; in order to pass through a plurality of states for decryption, and wherein the control device ( 100c ) is adapted to a state of the current encryption unit of the second communication interface ( 104b ) and the current encryption unit of the third data transmission interface to the read-out state of the stream encryption unit ( 108 ) of the second communication interface ( 104b ).
  17. An encrypted transmission device according to claim 15 or 16, in which the control device ( 100c ) is configured to perform the setting of the stream encryption unit of the first and second communication interface using the data bus (XBus) and wherein the control device is further configured to perform the setting of the stream encryption unit such that when setting the stream encryption unit of the second communication interface by means of the data bus Assignment signal to the first data transmission interface ( 104a ) containing information about the state to which the second communication interface is set.
  18. An encrypted transmission device according to any one of claims 15 to 17, wherein the control means is adapted to connect the power encryption unit of the first and second communication interfaces (15). 104a . 104b ) to the state corresponding to the state corresponding to the encryption initial value and the decryption initial value.
  19. An encrypted transmission device according to any one of claims 1 to 16, wherein in the non-volatile memory element (16) 110 ) of the second semiconductor chip ( 202 ) the encryption initial value and in the nonvolatile memory element ( 110 ) of the first semiconductor chip ( 200 Furthermore, the decryption initial value is stored, wherein the second data transmission interface ( 104b ) is adapted to receive from another input data stream using the data in the non-volatile memory element ( 110 ) of the second semiconductor chip ( 202 ) in accordance with the encryption rule, and wherein the first data transmission interface ( 104a ) is adapted to receive the further encryption data stream and from the further encryption data stream using the in the non-volatile memory element ( 110 ) of the first semiconductor chip ( 200 ) decrypting initial value according to the decryption rule to determine the further input data stream.
  20. Device according to one of Claims 1 to 19, in which the second semiconductor chip ( 202 ) is adapted to execute a predefined sequence of machine executable instructions that can be determined from the expected data stream, wherein the second data transmission interface ( 104b ) is adapted to determine from the decryption data stream a machine executable instruction and wherein the second data transfer interface ( 104b ) is further configured to then provide the defensive measure against the transmission of data from the second data transmission interface ( 104b ) to the first communication interface ( 104a ) when the machine-executable instruction determined from the decrypting data stream does not correspond to a machine-executable instruction according to the predefined sequence of machine-executable instructions.
  21. Device according to one of Claims 1 to 20, in which the first data transmission interface ( 104a ) is designed to use a scrambling rule as the encryption rule and in which the second data transmission interface ( 104b ) is designed to use a descrambling rule as a decryption rule.
  22. Method for operating a device for the encrypted transmission of data between two semiconductor chips ( 200 . 202 ) of a data processing device, wherein the device for encrypted transmission comprises a non-volatile memory element ( 100 ) in each of the two semiconductor chips ( 200 . 202 ), wherein in the memory element ( 110 ) of the first semiconductor chip ( 200 ) an encryption initial value is stored for an encryption rule and in the memory element ( 110 ) of the second semiconductor chip ( 202 ) a decryption initial value assigned to the encryption initial value is stored in a decryption instruction assigned to the encryption instruction, wherein the first semiconductor chip ( 200 ) a first communication interface ( 104a ) configured to generate an encryption data stream from an input data stream using the encryption initial value according to the encryption protocol, wherein the second semiconductor chip ( 202 ) a second communication interface ( 104b ) configured to receive the encryption data stream and determine from the encryption data stream using the decryption initial value according to the decryption rule a decryption data stream and to compare the determined decryption data stream with an expected data stream, the second data communication interface being further adapted to provide a defensive measure a transfer of data from the second communication interface ( 104b ) to the first communication interface ( 104a ), if the decryption data stream does not correspond to an expected data stream, wherein the second semiconductor chip ( 202 ) a functional unit with a third data transmission interface, a control device ( 100c ) with a fourth data transmission interface ( 104c ) and a bus (XBUS), which is the first ( 104a ), second ( 104b ), third and fourth ( 104c ) Data transmission interface, and wherein the method comprises the steps of: encrypting data of the input data stream in the first data transmission interface ( 104a using the encryption initial value according to the encryption policy to generate the encryption data stream; Transmitting the encryption data stream from the first communication interface ( 104a ) to the second communication interface ( 104b ); Decrypting the encryption data stream in the second communication interface ( 104b using the decryption initial value according to the decryption rule to determine the decryption data stream; Taking a defense against transmission of data from the second communication interface ( 104b ) to the first communication interface ( 104a ) if the decryption data stream does not correspond to an expected data stream; and transmitting the decryption initial value via the bus (XBUS) in the second semiconductor chip ( 202 ) of the memory element ( 110 ) of the second semiconductor chip ( 202 ) to the functional unit, wherein upon transmission of the decryption initial value from the memory element ( 110 ) of the second semiconductor chip ( 202 ) to the functional unit, a transmission of the decryption initial value to the first semiconductor chip ( 200 ) is suppressed.
  23. Computer program with program code for carrying out the method according to claim 22, when the computer program runs on a computer.
DE200510063482 2005-03-24 2005-03-24 Data transmission device for use in data processing device, has interface performing preventive measure against transferring of data from that interface to other interface, if decoding data stream does not correspond to expected data stream Active DE102005063482B4 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
DE200510063482 DE102005063482B4 (en) 2005-03-24 2005-03-24 Data transmission device for use in data processing device, has interface performing preventive measure against transferring of data from that interface to other interface, if decoding data stream does not correspond to expected data stream

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE200510063482 DE102005063482B4 (en) 2005-03-24 2005-03-24 Data transmission device for use in data processing device, has interface performing preventive measure against transferring of data from that interface to other interface, if decoding data stream does not correspond to expected data stream
DE200510013830 DE102005013830B4 (en) 2005-03-24 2005-03-24 Apparatus and method for encrypted transmission of data

Publications (1)

Publication Number Publication Date
DE102005063482B4 true DE102005063482B4 (en) 2012-09-06

Family

ID=46671578

Family Applications (1)

Application Number Title Priority Date Filing Date
DE200510063482 Active DE102005063482B4 (en) 2005-03-24 2005-03-24 Data transmission device for use in data processing device, has interface performing preventive measure against transferring of data from that interface to other interface, if decoding data stream does not correspond to expected data stream

Country Status (1)

Country Link
DE (1) DE102005063482B4 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19782075C2 (en) * 1996-10-25 2001-11-08 Intel Corp A circuit and a method for securing safety of the connection within a multi-chip package of an integrated circuit
DE10162310A1 (en) * 2001-12-19 2003-07-03 Philips Intellectual Property Method for signal transmission e.g. for small computers in credit card format, signal transmission takes place via smart card controller

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19782075C2 (en) * 1996-10-25 2001-11-08 Intel Corp A circuit and a method for securing safety of the connection within a multi-chip package of an integrated circuit
DE10162310A1 (en) * 2001-12-19 2003-07-03 Philips Intellectual Property Method for signal transmission e.g. for small computers in credit card format, signal transmission takes place via smart card controller

Similar Documents

Publication Publication Date Title
US4747139A (en) Software security method and systems
CN103383668B (en) System equipment on the system, the operating piece of the method and system chip comprising sheet
US5559889A (en) System and methods for data encryption using public key cryptography
JP5815294B2 (en) secure field programmable gate array (FPGA) architecture
EP2507708B1 (en) Verifiable, leak-resistant encryption and decryption
KR100628280B1 (en) Process for encrypting or decrypting a data sequence
RU2399087C2 (en) Safe data storage with integrity protection
KR101370223B1 (en) Low latency block cipher
US7082199B2 (en) Simple encrypted transmission system suitable for intermittent signals
US6295606B1 (en) Method and apparatus for preventing information leakage attacks on a microelectronic assembly
US5966448A (en) Cryptographic communication system
US5345508A (en) Method and apparatus for variable-overhead cached encryption
US20100037069A1 (en) Integrated Cryptographic Security Module for a Network Node
US4386233A (en) Crytographic key notarization methods and apparatus
JP6138333B2 (en) Master key encryption function for transmitter and receiver pairing as a countermeasure to thwart key recovery attacks
US5818934A (en) Method and apparatus for providing a cryptographically secure interface between the decryption engine and the system decoder of a digital television receiver
JP3975677B2 (en) The information processing apparatus
KR101094857B1 (en) Protected return path from digital rights management dongle
EP1055306B1 (en) Cryptographic device with encryption blocks connected in parallel
EP1244247B1 (en) Key decrypting device
US7457960B2 (en) Programmable processor supporting secure mode
EP1802030A1 (en) Secure system-on-chip
CN101086769B (en) Encrypting system for encrypting input data and operation method
US5444781A (en) Method and apparatus for decryption using cache storage
US6351539B1 (en) Cipher mixer with random number generator

Legal Events

Date Code Title Description
8110 Request for examination paragraph 44
R016 Response to examination communication
R018 Grant decision by examination section/examining division
R020 Patent grant now final

Effective date: 20121207

R082 Change of representative