FR2661532A1 - Memory with wordwise protected access - Google Patents

Abstract

The invention relates to integrated memory circuits in which the information from the memory is to be protected in read, write or erase mode. In order to allow optimisation of the use of the memory even in the cases where there are numerous possibilities of access control depending on various levels of entitlement of the users, the invention proposes that each word of the memory include first p bits which define the access authorisations for this word as a function of the entitlement level. Before each new read or write or erase operation for a specified word address, a register (RP) is rezeroed, thus authorising the reading of the first p bits of the word. These first p bits are placed in the register (RP) and define, by virtue of a programmable logic array (RLP), the access authorisations in read, write and erase modes for the remainder of the word. The programmable logic array also receives logic levels (N1, N2, N3) indicating the level of entitlement of the user.

Description

WORD-BY-WORD PROTECTED ACCESS MEMORY
The invention relates to memories, and more particularly those whose data must be protected, that is to say that certain operations on the words of the memory are prohibited to an unauthorized user but possible for other users, d 'other operations being possibly authorized for the first user.

 For example, in certain areas of the memory, one authorized user will be able to read and write, another will only be able to read, and a third will not be able to read or write, etc.

 This problem of controlling access to memory data frequently occurs in integrated circuits for smart cards when these cards are used as currency or as access key or as means of identification or even as bank of portable data, etc.

 In these cases, but also in others, it is important to manage with great care the possibilities of access by users to information written in the card, or in the places of writing in the memory; this is particularly true when the card contains erasable and rewritable memory areas (EEPROM memories in particular) which contains sensitive data. To give an example, a bank or a service provider must be able to replenish a monetary credit on a card, but it is out of the question that the card holder can do it himself.

 With the increasing complexity of the circuits present in the cards, we realize that we need more possibilities of varied access controls, whether in read or write, for users authorized at different levels. others.

 In the state of the art, access control to memory words essentially consists in defining specific memory areas for each level of authorization, and in filtering the addresses at the input of the memory according to the level. user authorization. A user with a determined level of authorization will for example be authorized to access certain areas of memory in reading, and to prohibit access to these same areas in writing; and he will be allowed write and read access to other memory areas; and still prohibit any read or write access to other areas again.

For other users, with a different level of authorization, the conditions will be different, or it will be the data subject to access restrictions that will be different.

 The zones are predetermined zones for each level of authorization and for each type of authorization or prohibition. The memory is thus precut into well defined portions. It has been realized according to the invention that this partitioning of the memory into predetermined zones could lead to a misuse of the available memory space: in certain applications certain zones will be used very little while other zones will prove to be too small compared to needs.

 This problem becomes all the more critical as there are more types of different levels of empowerment; it also becomes more critical when we want the same integrated circuit to serve several different applications that do not have the same access control constraints.

 An object of the invention is to facilitate the management of access controls in a memory as a function of the type of operations to be performed (read, write, erase, etc.) and as a function of the different levels of authorization of the users.

 According to the invention, an integrated circuit is proposed containing a memory organized in words of n bits capable of being transmitted at least partially in series, in which each word of n bits comprises p bits which can be transmitted before the remaining np bits, these p bits serving to define at least one type of individual access authorization for the word considered, means being provided for authorizing processing on a given word location as a function of the p bits entered at the location of this word.

 This amounts to saying that each word is assigned the appropriate authorization (or appropriate authorizations), and the authorization possibilities - are written in the word itself (in the first p bits). There are therefore not entire areas of memory reserved for this or that type of authorization. A word in a location, assigned specific permissions, may very well be adjacent to words with very different types of permissions.

 It is therefore possible to optimally use all the memory available whatever the application.

 The first p bits of the word are read and decoded to define the authorization; only then will the n-p useful bits of the word be processed, according to the authorizations given.

 In most applications, what matters is that words whose reading is not authorized are not transmitted outside the integrated circuit.

Therefore, it should be understood that when it is said here that the first p bits of the word are transmitted, after which an authorization is given, this does not necessarily mean that there are two read operations within memory itself. There may very well be a single operation for reading the n bits, a processing of the first p bits of the word and a prohibition of transmission of the rest of the word at the output of the integrated circuit if the p bits imply this prohibition.

 In authorization for writing or erasing the memory, there is however necessarily an operation for reading the first p bits prior to a writing or erasing operation since these are the p bits present at the location of the word. which define the possibilities of writing and erasing in this location.

 The invention is particularly suitable for integrated circuits in which the data transmission is done in series, because then it is easy to process the first p bits arriving to authorize or prohibit the transmission of the remaining n-p bits.

 It is of particular interest for memories with sequential access of words, in which the bits of each word are read sequentially and not in parallel. The p access control bits are then the first p bits in the order in which the bits of a word are read.

 The invention is applicable to the case where the types of authorization are perfectly determined for a word and do not vary over time. It is also applicable to the case where these authorizations can vary over time: the p bits are rewritten at a word location according to the new authorizations on this word.

Finally, which is particularly interesting, the invention is applicable to the case where the authorizations on a given word depend on the level of authorization of the user, the latter being recognized by an access code: recognition of the validity of the access code will be used to complete the establishment of access authorizations to the word in question, in the sense that the p bits include information on the different authorizations to be given according to the holder's authorization; in this case, there is not a single authorization linked to a word location, but as many authorizations as there are different types of authorization.

 Not only is the flexibility of using the memory according to the invention much greater than in the prior art, but also the construction is simpler. Indeed, when the zones were frozen according to the type of authorization, it was necessary to provide a first programmable logic network to receive the address of a word and to deduce the zone therefore the type of authorization; a second programmable logic network for defining the authorizations according to the zones; and a third programmable network for determining the commands to be executed according to the order requested by the user and the authorization given.

 In the invention, a single programmable network makes it possible to determine a prohibition or an authorization of data transmission as a function of the content of the first p bits of a word. There is no need to decode the addresses to determine a type of authorization as a function of the address received since the authorization is not linked to an address. Only the content of the word defines authorization.

 It can be foreseen that there are, among the p bits defining the access conditions, bits which serve to recognize whether the word contained in the memory location is or not an enabling code, and even bits defining the level of authorization corresponding to this code. This makes it possible to bring in an additional access condition parameter: the access conditions, linked to the location of the word, will also depend on whether the content of the word must be considered as an enabling code or not.

 To ensure processing security, it is provided either that the p bits defining the access conditions are made permanently non-erasable, or that they can only be erased by a special procedure.

 Finally, in an alternative embodiment, provision can be made for at least one of the first p bits of a word to be used for defining the access conditions not for the word itself but for an adjacent word.

 Among the advantages of the invention, there is the fact that one can very well have in the memory of the zones of which the access is in read only, while keeping the possibility that the first writing of these words is made outside the manufacturing plant; in the prior art, if there were areas for which the only possible access for everyone was a read authorization, the manufacturer of the integrated circuit was the only one who could write content in these areas. With the invention, one can very well foresee that the first client or user registers the content himself and at the same time registers access conditions such that no one, including this first client or user himself, can modify the content.

Other characteristics and advantages of the invention will appear on reading the detailed description which follows and which is given with reference to the accompanying drawings in which
- Figure 1 shows a conventional arrangement of data in a protected access memory of the prior art;
- Figure 2 shows a data organization in a protected access memory according to the invention;
- Figure 3 shows a memory constitution according to one embodiment of the invention.

 FIG. 1 shows the arrangement of the data in a conventional memory with protected access. The memory is assumed to be organized in words of n bits. There are areas reserved for each type of access authorization.

For example, for an electrically erasable programmable memory, there may be
- a zone Z0 in which all writing is prohibited,
- an area Z1 in which writing is authorized for an authorized user of level 1, reading is prohibited for users of other levels;
- a zone Z2 in which only reading is authorized for a user of authorization level 1 but reading remains prohibited for a user of authorization level 2;
- a zone Z3 in which only writing is authorized but not erasure, for a user of a determined level of authorization,
- etc ... we can quickly multiply the number of different zones as soon as there are several different authorizations to be given (write, read, erase) and several different levels of authorization for these operations. The number of possible combinations is very high and the number of different zones to provide is also very high.

 The zones have dimensions which are fixed; but then, for certain applications, certain zones risk having insufficient sizes while others would be unnecessarily too large.

 In Figure 2, the organization of a memory word according to the invention has been symbolically represented.

 All words have a first part (p bits) used to define access conditions and a second part of n-p bits constituting the useful part of the stored word.

 Thus, there are no areas of fixed dimensions corresponding to a type of authorization. In practice, it will be possible to juxtapose words having the same type of access conditions, that is to say having the same p bits, but this is not compulsory. If this is done, zones are constituted as in FIG. 1, but the essential difference is that these zones do not have predetermined sizes. You can go anywhere from one zone to another, because the definition of the zone is not linked to a zone address but to the content of the first p bits of the words in the zone.

We will now describe, to better illustrate the invention, a preferred embodiment (Figure 3) in which
the memory is a sequential access memory, that is to say that the bits of a word are read one after the other, in the order in which they are stored in the memory;
- it is an EEPROM memory, that is to say programmable and electrically erasable;
- there are three levels of authorization allowing different read or write or erase operations depending on the words considered;
- certain words contained in the memory are access codes and we want to distinguish them from other words.

In practice, in this example, it will also be considered that the memory can receive five different command orders which can be, for a determined word.
- incrementing the address by one bit of the word and reading the corresponding bit;
- incrementation of the address and comparison of the bit read with a bit presented for validation (case of the presentation of an authorization code);
- programming (writing) of a bit;
- deletion of a word (writing is done bit by bit, deletion is done word by word);
- reset the bit address counter.

 The memory MEM is represented in FIG. 3. The conventional circuits for reading and writing are not shown so as not to make the drawing heavy.

 The data of the memory enters and leaves the integrated circuit by a pad P. If the data entering at a given time represents an authorization code, this code is compared bit by bit, in a code validation circuit, VAL, to an access code contained in a memory address which has been previously indicated.

 According to the level of authorization of the user (level which can result from a single code or from several codes successively verified by the VAL circuit), bits are placed by the VAL circuit in a register RN which will keep in memory, for throughout the duration of use, information on the level of authorization of the user. This information is indicated symbolically, at the output of the register RN by wires N1, N2, N3, for example each corresponding to a respective level of authorization. The levels are not necessarily hierarchical, but each level gives certain rights to certain words. A user can be authorized for one or two or three levels for example.

The outputs N1, N2, N3 of the register RN, which remain constant until a new use, are applied to the inputs of a logic circuit, preferably a programmable logic network RLP which also receives two other groups of input signals
on the one hand, the p access control bits which are the first p bits of the word recorded in the memory at a determined word address on which a particular processing must be carried out; these p bits are contained in a register RP which is updated each time that the type of processing carried out or the location of the word on which a processing is modified is modified;
- on the other hand the control orders corresponding to the treatments desired by the user on a word or a determined word location; the order of order is an order among the five possible orders indicated above; these control orders are represented by five conductors: IAL for incrementing and reading a bit; IAC for the incrementation and comparison of a bit read with a bit presented for validation; W for programming (writing) a bit; E for the deletion of a word; Reset to reset the bit address counter.

From the three series of signals received by the programmable logic network RLP
- p bits of the RP register which indicate which processing authorizations are valid for each level of authorization, for a given word,
- the outputs of the RN register which indicate the current level of authorization of the user present,
- and the desired processing order, the programmable logic network RLP elaborates the signals for authorizing and / or inhibiting processing on the word from the memory.

The precisely worked out signals depend on the precise constitution of the memory; they have been represented here schematically by three signals which are respectively a read authorization signal
AR (for reading the useful part of the word), a write authorization signal AW and an erase authorization signal AE. These signals are transmitted to the read, write and erase circuits of the memory to allow or prohibit, depending on their state, the processing requested by the user. These conventional circuits are designated by the reference CMD in FIG. 3.

The filling and then resetting of the register of p bits RP is controlled by a sequencer SEQ; the sequencer SEQ also controls the read, write, and erase CMD circuits, so that the appearance of each new command order on a determined word address (or the word change for a given command) triggers the following operations
- reset the RP register to a change of word
- operation of reading the first p bits of the word addressed
- filling the RP register with these p bits
- processing by the RLP network to determine the authorizations and prohibitions of processing on the word in question
- execution of the given processing orders, depending on the authorizations given, and in particular, reading of the np useful bits not yet read (or authorization to transmit these bits at the output of the integrated circuit if they have already been read but not yet transmitted), or write or erase the np useful bits.

 The explanations which have just been given show that the RLP network must of course be constructed in such a way that if the register RP is reset to zero, the reading of the memory is possible, without which we could not read the first p bits of the words.

In the embodiment described here, it can be foreseen that there are 12 access control bits (p = 12) which are distributed as follows
Bits O to 2: Reading authorization control, 000: reading authorized 001: reading if level 1 of accreditation recognized (N1 = 1).

010: reading if level 2 recognized (N2 = 1) 011: reading if level 3 recognized (N3 = 1) 100: reading if levels 1 and 2 recognized (Nî = l and N2 = 1) 101: reading if levels 1 and 3 recognized (Nl = 1 and N3 = 1) 110: reading if levels 2 and 3 recognized (N2 = 1 and N3 = 1) 111: reading always prohibited
Bits 3 to 5: Write control 000: write authorized 001: write if level 1 recognized (N1 = l).

010: write if level 2 recognized (N2 = 1) 011: write if level 3 recognized (N3 = 1) 100: write if levels 1 and 2 recognized (Nl = l and N2 = 1) 101: write if levels 1 and 3 recognized (N1 = 1 and N3 = 1) 110: writing if levels 2 and 3 recognized (N2 = 1 and N3 = 1) 111: writing always prohibited
Bits 6 to 8: Erasure control according to the same codes as above.

Bit 9: Operation in abacus mode: in certain applications, it is desired that one of the control bits, here bit 9, be used to act on an adjacent word. For example here, 0: active: the programming of a bit 0 at position 9 authorizes or even causes the erasure of the useful part of the word immediately following; 1: inactive: no effect
Bits 10 and 11: identification of the words which are authorization codes 00: the word is not a code 01: the word is a level 1 authorization code 10: the word is a level authorization code 2 11: this word is an authorization code for level 3.

 These last two bits of the group of bits are useful since they make it possible to recognize whether a word in the memory is an authorization code which must be compared with a code entered by a user.

Claims (11)

 1. Integrated memory circuit, comprising means for controlling access to the words of the memory, characterized in that the memory is organized in words of n bits capable of being transmitted at least partially in series, in which each word of n bits comprises p bits which can be transmitted before the remaining np bits, these p bits serving to define at least one type of individual access authorization for the word in question, means (RP, RN, RLP) being provided for authorizing processing on a given word location as a function of the p bits written at the location of this word.  2. Circuit according to claim 1, characterized in that the p bits of the words of the memory are written in a non-erasable manner.  3. Circuit according to one of claims 1 and 2, characterized in that the memory is sequential access, the words being read and written bit by bit in a determined order and the p bits being the p first bits of the word.  4. Circuit according to one of the preceding claims, characterized in that, among the p bits, at least one bit establishes a read authorization.  5. Circuit according to one of the preceding claims, characterized in that, among the p bits, at least one bit establishes a write authorization.  6. Circuit according to one of the preceding claims, characterized in that, among the p bits, at least one bit establishes an erasure authorization.  7. Circuit according to one of the preceding claims, characterized in that it comprises a programmable logic network (RLP) receiving as input the p bits of a word present at a determined word location in the memory and defining the authorizations for processing of the useful part of this word.  8. Circuit according to claim 7, characterized in that the programmable logic network comprises additional inputs coming from the outputs of a register (RN) whose state defines the level of authorization of a user.  9. Circuit according to claim 8, characterized in that the p bits are divided into groups of bits, each group defining the authorizations for a given operation and for the different possible levels of authorization.  10. Circuit according to one of claims 7 to 9, characterized in that the programmable logic network comprises additional inputs receiving signals corresponding to the processing orders given by a user on a determined word location.  11. Circuit according to one of the preceding claims, characterized in that at least one of the p bits defines a processing authorization on a word at a location adjacent to the location considered.