JPH11232884A - Nonvolatile memory device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a device having an access limit and which releases the limit only for a prescribed user by utilizing a password stored in a part of plural memory cells for releasing the access limit in a first access permission means and utilizing none of information stored in plural memory cells in a second access permission means. SOLUTION: A password access permission circuit 52 uses the passwords DoP(1)-DoP(s) stored in a password storage area 11 of a nonvolatile memory array 10 and internal write-in signals Di(1)-Di(s) answering to the data DQ(1)-DQ (s) imparted from the outside generated in an input buffer 24 to make signal P2 high level and generates the information DiP(1)-DiP(s) to be rewritten, An X address buffer 30 latches address signals A(1)-A(n) from the outside by a timing signal XL to generate X address signals AX(1)-AX(s).

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a nonvolatile memory chip having an access restriction function or a chip incorporating the same.
The present invention relates to a nonvolatile memory device such as an IC memory card.

[0002]

2. Description of the Related Art In the recent information society, there is a demand for keeping information stored in an IC memory card confidential (restricting read access) or preventing unauthorized rewriting (restricting write access). Is big.

[0003] A simple method that can be considered for realizing such an access restriction function is a RO card mounted on a memory card.
The purpose is to hold a password in M and permit access when an input that matches this password is given to the memory card. However, those who attempt unauthorized access can try various passwords, so high confidentiality is not guaranteed.

[0004] In order to realize more advanced access restriction, it is conceivable to apply a well-known encryption technique. That is, an IC memory card is provided with an encryption device including a ROM holding an encryption key and an arithmetic device that converts an arbitrary plaintext into a ciphertext using the key. When accessing the memory card, an arbitrary plain text and a corresponding encrypted text are given to the memory card as digital signals.
If the given ciphertext matches the ciphertext calculated inside the memory card, the access restriction of the memory card is released. Only those who know the encryption key and the encryption conversion method can access this memory card.

[0005]

However, when the above-mentioned encryption method is applied to a general-purpose IC memory card, there are the following problems.

(1) If the encryption device breaks down, access to the memory card becomes completely impossible. For example, if read access is restricted, important data is often stored in the memory card.
The failure of the encryption device becomes a serious obstacle.

(2) By providing the above-mentioned encryption device, the area of the chip constituting the IC memory card increases and the cost increases. Alternatively, an increase in the capacity of the mounted memory is hindered.

(3) To provide a plaintext and an encrypted text to a memory card, a second encryption device for generating an encrypted text is separately required. Security management of the second encryption device is required.

(4) Once the encryption key is known to a third party, the encryption key stored in the ROM cannot be changed, so that the access restriction function is completely lost.

(5) If the memory card is stolen by a third party, the third party may succeed in releasing the access restriction by trial and error with sufficient time.

(6) Even if a third party succeeds in releasing the access restriction by trial and error, no trace remains. Therefore, when read access is restricted, information leakage cannot be recognized. If write access is restricted, even if a third party performs unauthorized rewriting, it cannot be recognized.

It is to be noted that a method of realizing the access control function by software is also conceivable. However, since it is not known to which device the IC memory card is used,
The method implemented by software is dangerous.

An object of the present invention is to provide a non-volatile memory device or a non-volatile IC memory card which has an access restriction function and allows only a specific user to release the restriction.

The above and other objects and novel features of the present invention will become apparent from the description of the present specification and the accompanying drawings.

[0015]

The following is a brief description of an outline of a typical invention among the inventions disclosed in the present application.

That is, the non-volatile memory device of the present invention has first access permitting means for releasing access restriction and second access permitting means. The first access permitting means utilizes a password written in some of the memory cells of the rewritable nonvolatile memory device of the present invention to release the access restriction. Access restrictions are set for write and / or read.

The second access permitting means is provided in case that the password written in the memory cell in the first access permitting means is lost due to a retention failure or the like or the user forgets the password set by the user. .

In one embodiment of the present invention, the second
Has a plurality of storage elements (for example, fuses) that can be written only once. The second access permitting unit sets the storage element to one of a plurality of states that can be taken as a combination of the storage states of the plurality of storage elements, the state specifying access restriction release. Further, in one embodiment of the present invention, a circuit for restricting the use of the second access permission means to only one use can be further provided.

The second access permitting means is operated in an environment different from the environment in which the memory device of the present invention is normally used, for example, under a power supply voltage higher than normal, or
It can be implemented to be operated by a special command. Thereby, malfunction prevention can be promoted.

Further, in one embodiment of the present invention,
After reading the password used for the first access permitting means from the memory cell, a predetermined value (for example, 0) is always written back, and the first access permitting means reads after the write-back is completed. It is configured to generate an internal signal for releasing the access restriction. If the read password has the predetermined value, the first access permission means is configured so that an internal signal for releasing the access restriction is not generated. Further, in one embodiment, the nonvolatile memory device according to the present invention is a ferroelectric memory, and the first access permitting means is a read-modify-write memory in a dynamic random access memory (DRAM). It is performed by giving the same control signal procedure as the command.

In one embodiment of the present invention, the first
After reading the password used for the access permitting means from the memory cell, a predetermined value (for example, 0) is always used.
Is written back, or the read password is always rewritten. The selection of which write-back is performed can be determined based on the information written in the memory cell of the nonvolatile memory device of the present invention. Preferably, the information is assigned to a part of the read password.

In one embodiment of the present invention, the first
If the access restriction release by the access permission unit fails once, unless the power is turned on again, the access restriction release is not performed even if the first access permission unit is retried in the next correct procedure. Includes trial prevention means. The retry prevention means has two stable states, is in the first state immediately after the power is turned on, and once transitions from the first state to the second state, unless the power is turned on again. It includes a circuit that cannot return to the first state again.

In one embodiment of the present invention, there is provided means for giving only a limited user the right to selectively set access restrictions from write and / or read. The selection by the means can be determined based on the information written in the memory cell of the nonvolatile memory device of the present invention.

[0024]

DESCRIPTION OF THE PREFERRED EMBODIMENTS A specific example of a nonvolatile memory device according to the present invention will be described below. The memory device may be in the form of a memory chip or an IC card. Also, in the following, pages 234 to 242 of the IEICE English Language C Volume E79-C 1996 (IEICE Transactions on E
electronics, vol.E79-C, no.2, pp.234-242, 1996), when applied to `` Vcc / 2-plate non-volatile DRAM with ferroelectric capacitor '', that is, similar to DRAM Although an example is shown assuming a nonvolatile memory capable of performing various controls, it goes without saying that the essence of the present invention can be applied to other forms of nonvolatile memory. Although not shown, the Vcc / 2-plate nonvolatile DRAM having a ferroelectric capacitor includes, for example, a field effect transistor as a selection transistor and a ferroelectric capacitor connected in series to the memory cell, for example. It is composed. The gate electrode of the selection transistor is connected to a word line, and the source (or drain) is connected to a bit line.

<< Overall Example of Nonvolatile Memory Device >> FIG. 1 is a block diagram showing a first example of a nonvolatile memory device according to the present invention. The internal data bus 26 has a width (the number of bits) of s bits, one X address and one Y address.
S-bit data is exchanged according to the address specification.

In the case of restricting read access in the nonvolatile memory device, when the output P0 of the access permission circuit 50 is at a low level, the output enable bar signal OEB0 in the memory generated by the control signal generation circuit 40 is always high. Level (output negated state)
The read data of the memory cell array 10 includes signals DQ (1) to DQ
Not output to the outside as (s).

When the write access is restricted, the write enable bar signal WEB0 in the memory generated by the control signal generation circuit 40 when the output P0 is at the low level.
Is always at a high level (write negated state), and signals DQ (1) to DQ (s) from the outside are not written in the memory cell array 10.

The output P0 is used as a permanent access permission circuit 5
When any one of the signal P1 from the P1 and the signal P2 from the password access permission signal 52 becomes a high level, the signal becomes a high level and the access restriction is released.

First, the permanent access permission means will be described. For example, the permanent access permission circuit 51 has a plurality of fuses, and sets the signal P1 to a high level only when a specific plurality of fuses among these fuses are cut. Selection of a fuse to be cut is performed based on outputs AZ (1) to AZ (n) from the fuse cut / Z address buffer 32. The Z address buffer 32 latches external address signals A (1) to A (n) according to the timing signal SP, and outputs them as AZ (1) to AZ (n). The SP is generated in the fuse cutting mode generating circuit 41 when the control signals RASB, CASB, WEB, OEB are given from the outside in a specific procedure. As described above, since the permanent access permission means is realized by a combination of fuses, the state is maintained once the signal P1 becomes high level. Further, if an inappropriate fuse is blown, the signal P1 cannot be set to the high level again. The control signals RASB, CASB, WEB, OEB are DRA
It should be understood that these signals have the same functions as the M general access control signals of the row address strobe, the column address strobe, the write enable, and the output enable.

Next, the password access permission means will be described. The password access permission circuit 52 inputs the passwords DoP (1) to DoP (s) stored in the password storage area 11 of the memory cell array 10 and data DQ (1) to DQ (s) given from the outside. The signal P2 is set to a high level using the internal write signals Di (1) to Di (s) generated in the buffer 24. In the simplest case, DoP (1) to DoP (s)
And when Di (1) to Di (s) match, the signal P2 is set to the high level. Further, the circuit 52 generates information DiP (1) to DiP (s) to be rewritten in the password storage area 11. Although not particularly limited, once P2 is set to the high level, the state of P2 is maintained as long as the operation power of the memory is turned on.

In the above password access permitting means, DoP (1) to DoP (s) are given to the circuit 52 in the following procedure. That is, first, the X address buffer 30 latches the external address signals A (1) to A (n) according to the timing signal XL, and generates the X address signals AX (1) to AX (n). Here, if A (1) to A (n) are matched with the X address of the storage area 11, the password access flag AP becomes high level, indicating that the access is to the storage area 11. AP
Is high level, the control signal generation circuit 40
Is the internal signal WEB0, OEB0 that matches the external WEB, OEB.
Occurs and does not restrict access. It will be apparent from the description below that the password cannot be leaked and the password cannot be rewritten without restriction.

Following the generation of the X address, the Y address buffer 31 latches the external address signals A (1) to A (n) in response to the timing signal YL, and outputs the Y address signals AY (1) to AY
(n) is generated. Where AX (1) to AX (n), AY (1) to AY (n)
A (1) to A (n) are provided so that a desired password in the storage area 11 is selected. Note that AX (1) to AX (n) indicate the storage area 11, and AY (1) to AY (n) can be configured to select one of a plurality of passwords stored in the storage area 11. . That is, a plurality of different passwords can be held. The above signals XL and YL are externally supplied with control signals RASB and CAS.
When B, WEB, and OEB are given in a specific procedure, they are generated in the control signal generation circuit 40. this is,
This is equivalent to known signal generation means in DRAM.

In the above address specification, if WEB is set to a high level, the internal signal WEB0 is also set to a high level to perform a read operation. That is, the X decoder 1
3. The word line in the storage area 11 is activated via the word driver 12, and the data in the storage area 11 is latched by the sense amplifier 14. Desired passwords DoP (1) to DoP (s) are selected by the Y decoder 15 and sent to the input / output control circuit 20 via the data bus 16 having an s bit width. Therefore, the passwords DoP (1) to DoP (s) are latched by the main amplifier 21. The output destination selection circuit 22 sends DoP (1) to DoP (s) to the password access permission circuit 52 in response to the high level of the AP. Note that the output destination selection circuit 22 sends the read data from the memory cell array 10 to the output buffer 23 only when the AP is at the low level, so that the data in the storage area 11 is not read outside. That is, the password is prevented from being leaked. The above is the procedure until DoP (1) to DoP (s) reach the circuit 52.

In the above password access permitting means, DiP (1) to DiP (s) generated in the circuit 52 are rewritten in the storage area 11 as follows. That is, when the AP is at the high level, the write data selection circuit 25
To DiP (s) are selected as write data when the AP is at a low level. When the storage area 11 has been selected, AP is at the high level, and DiP (1) to DiP (s) are rewritten to the storage area 11 via the data bus 26 and the sense amplifier 14. Note that the external signal DQ (1) to the external signal DQ (s) can be obtained by the above-described function of the selection circuit 25, although the storage area 11 is not subjected to the write restriction as described above. Are not written directly into the storage area 11. That is, the password is not rewritten without permission.

The operation of the circuits 50, 51, and 52, which are the main components of the present invention, has been described. After the signal P0 becomes high level and the access restriction is released, the memory operates as a normal memory, and thus will not be described in detail here. Examples of more specific circuits of the main components of the present invention will be described later.

According to the nonvolatile memory device shown in FIG. 1, the following effects can be obtained.

(1) Even if the normally used password access permission means breaks down, or the password in the storage area 11 is lost due to some kind of failure, for example, a bad retention of the nonvolatile memory cell, a hard error, or forgetting of the password set by the user. Even in this case, since the access restriction circuit can be released by the permanent access permission circuit 51, a highly reliable security function can be obtained.

(2) Since a password is stored in a rewritable nonvolatile memory cell, a simple access restriction release method by direct comparison with an input password can be adopted, for example, by changing the password each time. However, in this case, as shown in a later example, when the internal password and the input password do not match, measures are taken to prevent unauthorized access by trial and error, such as automatic deletion of the internal password. By employing such a simple access restriction release method, the chip area can be reduced, and as a result, the cost can be reduced. Alternatively, there is no need for a separate second encryption device when using this memory. Therefore, a nonvolatile memory with a security function particularly suitable for a general-purpose memory chip and a general-purpose IC card can be obtained.

(3) Since the password is stored in the rewritable nonvolatile memory cell, even if the password is known to a third party, the password can be changed to maintain the security of the memory.

(4) If the internal password is erased at the time of unauthorized access as described in (2) above, a memory with extremely high security can be obtained with a simple configuration, but the access restriction is released by the password access permission circuit 52. Becomes impossible. To cope with this, if the existence of the permanent access permission circuit 51 or the detailed method thereof is kept confidential to a limited organization, for example, only an IC card maker, the access restriction can be released. In particular, if the permanent access permission circuit 51 is set outside the range of normal use conditions as shown in a specific example later, the danger of a user who does not know the existence of this means unintentionally exercising the means is avoided. This makes it possible to obtain a general-purpose memory that has extremely high security and has a low risk that access restriction cannot be released.

(5) If the internal password is erased at the time of unauthorized access as described in (2) above, the user can perceive that unauthorized access may have been attempted due to the inability of the password access means. . This allows the user to take measures such as strengthening the security posture.

<< Specific Example of Permanent Access Permission Unit >> Hereinafter, a specific configuration example of the permanent access permission unit will be described with reference to FIGS.

FIG. 2 shows an example of the configuration of the permanent access permission circuit 51. The circuit 51 receives the address signal AZ
(i) and AZ (m + 1), AZ (m + 2) as inputs, and fuse status signal F
Fuse state signal generation circuit 511-i that outputs S (i)
(I = 1 to m) and a fuse state logic circuit 512 having FS (i) as input and P1 as output.

FIG. 3 shows a specific example of the circuit 511-i. The circuit 511-i sets the output FS (i) to a low level when the fuse F (i) is in a connected state and the high resistance R (i) when the fuse F (i) is in a disconnected state.
Makes FS (i) high. Fuse cutting is possible when both AZ (m + 1) and AZ (m + 2) are at high level. At this time, if the address signal AZ (i) is at a high level, F
A large current flows through (i) and is cut off. If the fuse is designed so that F (i) is not cut unless the power supply voltage Vcc is higher than the normal use condition, the effect described in the effect (4) of the first embodiment can be obtained. The fuse element itself
This is a known technique for a DRAM redundant circuit and the like.

A specific example of the circuit 512 is shown in FIG. The signal P1 is at a high level only in one state where there is a combination of a high level / low level of F (i) (i = 1 to m). This state is determined by whether or not an inverter is provided before the FS (i) input to the AND element. In order to release the access restriction by setting the signal P1 to the high level, it is required to correctly input the address signals AZ (1) to AZ (m) according to the configuration of the logic circuit 512.

FIG. 5 is a specific circuit example of the fuse cutting mode generating circuit 41. The register 412 is used when the S input (set input) changes from low level to high level.
When the Q output (non-inverted output) changes to high level and the R input (reset input) changes from low to high
Set the Q output to low level. The circuit 411 changes SPset from low level to high level when RASB changes from high level to low level during the time Tp in the range of T1 <Tp <T2 after CASB and WEB change from high level to low level. Here, T1 is the delay element dela of the delay circuit 411.
T2 is determined by y (411), and T2 is determined by delay element delay (412). When the RASB transitions from the high level to the low level, a pulse having a width determined by the delay element delay (414) is generated. The circuit 411 further generates a reset pulse having a pulse width determined by the delay element delay (413) when RASB changes from low level to high level. With the above configuration, the circuit 41 sets R at the time Tp in the range of T1 <Tp <T2 after the CASB and WEB transition from the high level to the low level.
When ASB changes from high level to low level, SP is set to high level, and when RASB returns from low level to high level,
Return SP to low level.

FIG. 6 is a timing chart showing the generation of fuse cutting addresses AZ (1) to AZ (n) by the circuit 41 and the Z address buffer 32 of FIG. As described with reference to FIG. 5, when the SP transitions to the high level in response to the RASB, CASB, and WEB transitions, the circuit 32 outputs the external address signals A (1) to A (A).
(n) is latched and AZ (1) to AZ (n) are output. AZ (1) to AZ (n) continue to be output while SP is at high level, but RASB goes to high level.
(1) to AZ (n) are all reset to 0.

With the configuration shown in FIGS. 2 to 6, the access restriction is permanently released after the fuse uniquely determined by the circuit 512 is cut. In the permanent access permission means of this embodiment, (1) a power supply voltage higher than usual is required, (2) special RASB, CASB, and WEB are given, and (3) RASB is set to a low level. Since the transition timing is restricted to T1 <Tp <T2, it is considered that an accidental accident in which this measure is exercised under normal use conditions is extremely rare. Or, even if the person attempting the unauthorized access knows the existence of the permanent access release means and the facts of the above (1) and (2), the above (3)
However, it is possible to avoid a situation in which the fuse is erroneously blown and the access restriction cannot be released as a result. That is, the permanent access permission circuit 51 is used as a backup means when the password access permission circuit 52 is disabled.
Realizes a high data protection function.

FIG. 7 shows another circuit example of the fuse cutting mode generating circuit 41. In the configuration shown in FIG. 5, a person who attempts unauthorized access can repeat the fuse cutting several times. For example, if the state determined by the fuse state logic circuit 512 is a state in which all fuses are blown, the fuses are blown in order from F (1) to F (m), and the access restriction is successfully released each time. If you take the method to check whether it has been done, you will eventually succeed in removing unauthorized access restrictions. FIG. 7 shows a circuit in which the activation of the circuit 41 is limited to only one time, and illegal access is completely eliminated. In FIG. 7, a circuit 413 is provided for this purpose. The configuration of the circuit 413 is similar to that of the circuit 511-i in FIG. SP, AZ (m + 1), AZ (m + 2) are all high level,
When the fuse cutting according to AZ (1) to AZ (m) is started, the fuse F (SP) of the circuit 413 is also cut by the output of the AND element. As a result, the output FS (SP) of the circuit 413 becomes high level, and the high level is never applied to the S input of the register 412. That is, SP never goes to a high level again, and therefore AZ (1) to AZ (n) cannot be generated again. According to the embodiment of the present invention, it is possible to reduce the probability of successfully canceling the unauthorized access restriction.

<< Specific Example of Password Access Permission Means >>
Hereinafter, a specific configuration example of the password access permission unit will be described with reference to FIGS.

FIG. 8 shows a password access permission circuit 52.
1 shows an example of the configuration. The passwords DoP (1) to DoP (s) stored in the storage area 11 correspond to P2
Is latched by the password latch circuit 521 in synchronization with OEB0 only when is at the low level. Latched DoP
(1) to DoP (s) are sent to the password access determination circuit 522 as DoPL (1) to DoPL (s), and the input data Di (1) to Di (s)
Is compared to If they match, the signal P2 becomes high level and the access restriction is released. On the other hand, the password / write data generation circuit 523 generates rewrite data DiP (1) to DiP (s) for the storage area 11.

FIG. 9 is a timing chart showing a password access permission procedure. The password access permission procedure is
This is performed by a read-modify-write command well known in DRAM. X at RASB low transition timing
The address is fetched, and Y becomes low at the timing of CASB low transition.
The address is fetched and the read operation is specified by setting WEB to high level. When OEB is set to a low level at a predetermined timing, DoP (1) to DoP (s) are latched by the circuit 521. Next, WEB is changed to a low level in response to the modify write, and Di (1) to Di (s) are given. DoP (1)-DoP (s)
If Di and Di (1) to Di (s) match, P2 goes high, but the P2 high transition is performed in synchronization with the RASB high transition. This is the output of circuit 523
This is because the access restriction is released after the rewriting of the DiP (1) to DiP (s) to the storage area 11 is completed. In particular, in the following example, "0" is rewritten so that retry of an illegal access cannot be performed. Therefore, it is necessary to surely rewrite "0". Note that an attempt may be made to cause the RASB to transition high early out of specification and end the rewrite unsuccessfully. Therefore, as shown in FIG. 11 later, the high transition of P2 is caused by the XL controlling the word line activation.
(Generated by the circuit 40 in FIG. 1) and the RASB
Is added, a function is added to keep the internal signal including XL in the rewrite state until the end of the rewrite even if the signal changes to a high level earlier than specified. Since the nonvolatile memory device according to the description uses a command common to the DRAM, the nonvolatile memory device is easy to handle for the user and has an effect that the circuit configuration can be simplified.

FIG. 10 is a specific circuit example of the password / write data generation circuit 523. When P2 is at the low level, the rewrite data DiP (1) to DiP (s) are all 0. P
When 2 is high level, rewrite data DiP (1) to DiP (s)
Corresponds to Di (1) to Di (s). According to the example of the password / write data generation circuit, the password is rewritten to “0... 0” at the time of unauthorized access, so that in the case of “0. By configuring the logic of the decision circuit 522, repeated attempts for unauthorized access cannot be made, and high security can be obtained. When P2 is set to a high level after a RASB high transition as shown in FIG. 9, Di (1)
~ Even if Di (s) is correctly given, the password is "0 ...
Therefore, it is necessary to rewrite the desired password after the P2 high transition. Alternatively, as indicated by a signal P2A in FIG.
If Di (s) is correctly given, a signal that transitions immediately to a high level can be used instead of P2, and the password rewriting after the P2 high transition can be omitted.

FIG. 11 shows a password access determination circuit 52.
2 shows a specific circuit example. Immediately after the power is turned on, the output P2 of the flip-flop circuit is output by the resistor R521.
A is at a low level, and P2 is at a low level due to the high resistance R522. When the password access canceling means is performed, the circuit 525-i (i = 1 to s) determines that the latched password DoPL (i) matches the input data Di (i), and
If not 0, output high level. Signal ZRB is DoP (1)
This signal is low only when the signals DoP (s) are all low. When all the outputs of the circuit 525-i (i = 1 to s) are at the high level, the output P2A of the flip-flop circuit is inverted, and P2 goes to the low level at the timing when XL falls in response to the RASB high transition. To a high level.

FIG. 12 shows a specific circuit example of the password latch circuit 521. When OEB0 transitions to a low level while P2 is at a low level and AP is at a high level, a latch pulse LS is generated. And DoP (1) to DoP (s) are DoPL
(1) Latched as DoPL (s). The delay element de in FIG.
After the delay time determined by lay, LS goes low again, and DoPL (1) to DoPL (s) all become 0. The delay element d above
The delay of elay is set so that LS becomes low level after Di (i) reaches the circuit 522.

FIG. 13 shows a password all-zero recognizing circuit for generating the signal ZRB used in FIG.
Output OR logic of DoPL (s).

According to the specific examples shown in FIGS. 8 to 13, it is clear that the effects in the description of FIG. 1, particularly the effects of items (2) to (5) can be obtained.

<< Specific Examples of Other Circuits in Nonvolatile Memory Device >> FIGS. 14 to 19 show other specific examples of the circuit in FIG.

FIG. 14 is a specific circuit example of the write data selection circuit 25. When WEB0 is low level and write operation is performed, if AP is high level (selection of storage area 11), DiP (1)
If DiP (s) is at a low level, Di (1) to Di (s) are sent to the data bus 26 as write data DiW (1) to DiW (s).

FIG. 15 is a specific circuit example of the output destination selection circuit 22. Read data DoR (1) from main amplifier 21
DoP (1) to DoR (s) are transmitted to the circuit 52 when the AP is at a high level.
It is sent as P (s), and if AP is at low level, Do (1)
Sent as ~ Do (s).

FIG. 16 is a specific circuit example of the access permission circuit 50. When the fuse F50 is connected, the input FS50 of the OR circuit is at a high level, and the signal P0 is at a high level. That is, the access restriction has been released.
In this state, the initial password of the storage area 11 is initially set to “0”.
.. Is written to a value other than "0". Thereafter, a voltage is applied to the fuse-cutting pad to cut the fuse F50.
S50 is set to a low level by the action of the high resistance R50.
This completes the initialization of the memory of the present invention. After the fuse is cut, if either P1 or P2 goes high, P0 goes high, and the access restriction is released.

FIG. 17 shows an example of a circuit for generating the password access flag AP. Set the X address of the storage area 11 to "11 ... 1"
When AP is set, an AP is generated by AND logic of AX (1) to AX (n).

FIG. 18 is a specific circuit example of the OEB0 generation circuit provided when it is desired to limit the read access.
When the AP is at a high level or P0 is at a high level, the internal output enable signal OEB0 matches the externally applied output enable signal OEB. That is,
Access restrictions are removed. When both AP and P0 are at low level, OEB0 is at high level regardless of OEB, and read access is prohibited.

FIG. 19 is a specific circuit example of a WEB0 generation circuit provided when it is desired to restrict write access.
A circuit 190 is added as compared with FIG.
This is to prohibit the early write command known by AM from the storage area 11 when P0 is at the low level.
The circuit 190 is necessary when the password write-back method shown later in FIG. In the circuit 190, a set pulse is applied to the S input and the output Q makes a high transition only when OEB makes a low transition after a certain delay from the RASB low transition. When RASB returns to high level, a reset pulse is applied to the R input and the output Q
Makes a low transition. When P0 is at a low level and AP is at a high level, the write enable signal WEB0 in the memory is externally applied only when the password is being read by the operation of the circuit 190.
Matches B That is, there is no write access restriction. However, in this case, the write data is not the external signals DQ (1) to DQ (s) but the data DiP (1) to DiP (s) generated by the password access permission circuit 52, as shown in FIG. There is no worry that the password is rewritten to an arbitrary value without canceling the access restriction. Even when P0 is at a high level, WEB0 naturally matches WEB. When both AP and P0 are at low level, WEB0 is at high level regardless of WEB, and write access is prohibited.

<< Another Example of Password Write Data Generation Circuit >> FIG.
23 shows another circuit example of No.23. In FIG. 20, when the password access permission means is exercised, the password data DoPL is read out and latched by the circuit 521.
Part of (1) to DoPL (s), for example, if DoPL (1) is 0, 0 is written back; if it is 1, DoPL (1) to DoPL
(s) is rewritten. In FIG. 10, the circuit 523 is configured to always rewrite 0. FIG.
In the case of, while security against unauthorized access is extremely high, if unauthorized access is attempted, or if incorrect input data Di (1) to Di (s) is given as releasing means, password access restriction releasing means It will be impossible. The latter can be dealt with by storing a plurality of passwords in the storage area 11, but in any case, it may be desirable to avoid using the permanent access restriction release means as much as possible. According to the circuit 523 of FIG. 20, if some data of the password is set so that, for example, DoPL (1) becomes 1, the same password is rewritten, and
If you set it to, the password will be automatically deleted. If the user wants to protect the data in the memory to some extent, but wants to avoid the difficulty of releasing the restriction, DoPL
You can set the data protection level by setting (1) to 1 and setting DoPL (1) to 0 if you want to ensure data protection even if it becomes difficult to release the restriction.

<< Another Example of Password / Write Data Generation Circuit >> FIG. 23 shows another example of the password / write data generation circuit 523. In FIG. 23, when the initial password is set by the circuit 50 in FIG. 16, the FS 50 is at the high level, and a part of the password data, for example, DiP (1) is written to be 1. Thereafter, when the password access permission means is exercised, only when the password data DoPL (1) to DoPL (s) read out and latched in the circuit 521 match the input data and P2A becomes high level, For example, DoPL (1) is written back to 1. Otherwise, DoPL (1) is written back to 0 and never returns to 1. DoPL (2) to DoPL (s) are rewritten as they are. Here, P2A is a signal that goes high immediately upon detection of a match, and P2 is a signal that goes high after password data writing is completed. If DoPL (1) is 0, it can be recognized that some unauthorized access has been attempted in the past.

<< Another Example of WEB0 Generating Circuit >> FIG. 21 shows a circuit example of the WEB0 generating circuit used in the password access permission system. When the WEB0 generation circuit shown in FIG. 19 is provided, a general user who does not know the password is always prohibited from write access. In FIG. 21,
Based on the write access flag stored in a partial area of the memory cell array 10, write access can be restricted or released to general users. In summary, both read and write access are prohibited at power-on, but the general user specifies a known memory address, and depending on the memory information, the restriction on read or write or both is released. Is to be done. The same applies to the OEB0 generation circuit.
The WEB0 generation circuit will be described below. Immediately after the power is turned on, the output of the circuit 401 is at a low level due to the function of the resistor R40. This state is the same as FIG. However, functions corresponding to the circuit 190 in FIG. 19 are omitted for simplicity. A user who knows the access restriction release means using a password or the like and wants to release only write access to other users and prohibit read access, sets the write access flag to, for example, the X address "
It is stored as "1" in a part of the memory area designated by "01 ... 1". A general user who wants to perform write access performs a read operation specifying the X and Y addresses of the write access flag. Then, the write access flag is read, for example, as Do (1), where all accesses are still prohibited, so that Do (1) is external signal DQ (1).
, But is output from the circuit 22.
When this is input to the circuit 401 of FIG. 21, if Do (1) is set to “1”, the write access restriction is released. This is because the signal APE goes high due to the input of the X address of the write access flag, the flip-flop of the circuit 401 is inverted by the operation of the AND circuit, and the output changes to the high level. As a result, the external signal
WEB always coincides with the internal signal WEB0. However, since it is difficult to rewrite the write access flag itself, the output of the circuit 401 does not function when the APE is at a high level. To prohibit write access to general users, the write access flag may be set to "0". A user who knows the access control canceling means using a password or the like can set P0 to high level and rewrite the write access flag. Although the above description has been made with respect to write access, the same applies to read access. That is, information specified by the same address as the write access flag and read as Do (2), for example, is used as the read access flag.
The OEB0 generation circuit may be configured.

According to the above description, the user who knows the password arbitrarily releases or inhibits the write access / read access to the nonvolatile memory device of the present invention to the general user who does not know the password. it can. As a result,
As shown in an application example described later, a general-purpose nonvolatile memory device with a security function having a wide application range can be obtained.

<< Another Example of Password Access Judgment Circuit >>
The example in which the same password is always rewritten depending on the setting in the circuit 523 in FIG. 20 has been described. in this case,
Anyone trying to gain unauthorized access will try to enter every possible password. This trial can be performed relatively quickly by a computer program.
FIG. 22 is a circuit example of a password access determination circuit 522 that makes such unauthorized access difficult. In the circuit 522 in FIG. 22, when the access restriction release fails due to the input of one password, it cannot be retried unless the power is turned on again. In the circuit 522, when the power is turned on, the output P2B of the flip-flop circuit is at a high level due to the function of the resistor R521. However, FIG.
Since the latch signal LS of the password latch circuit shown in (1) is at a low level, P2 is at a low level by the action of the high resistance R522. When the password access permission means is exercised, the internal passwords DoPL (1) to DoPL (s) are
Di (1) to Di (s) do not match, or DoPL
When (1) to DoPL (s) are “0... 0”, the latch output P2A of the circuit 522 is inverted from the LS at a timing delayed by the time defined by the delay element delay (521), and becomes low level. Become. Therefore, P2 goes high at a timing further delayed by the time defined by the delay element delay (522) when P2A is maintained at high level, that is, when the internal passwords DoPL (1) to DoPL (s ) Is the input password Di
(1) to Di (s) and only when they are not "0 ... 0". Even if the password access permitting means is subsequently used with another input password, P2B, that is, P2 can no longer be reversed. Power must be cycled. According to the embodiment of the present invention, even in a method in which an internal password is not automatically erased when an unauthorized access fails, the time and effort for performing the unauthorized access increase, so that the security can be improved.

The configuration of the present invention and a specific circuit example have been described above. Hereinafter, application examples of the nonvolatile memory device of the present invention will be described. The following application example assumes an application in the form of an IC memory card in which the chip-type nonvolatile memory device (that is, the semiconductor nonvolatile memory) of FIG. 1 is mounted.

<< Application Example 1 >> A general-purpose IC memory card having a security function can be used for storing personal data. The password is written by the person who writes the personal data by changing the initial password when the IC memory card is issued. If the password in the nonvolatile memory device is lost due to retention failure or the password access permission circuit breaks down and the access restriction can not be released by the password access permission means, the access restriction is released by the permanent access permission means. I do.

As a case where the password access permitting means does not function, there may be a case where a third party attempts unauthorized access. This is because the internal password is automatically deleted by exercising the permission means. Therefore, the existence of the permanent access permission means, or the detailed procedure thereof, should be known only to an authorized organization such as an IC maker. The IC card holder requests, for example, an IC maker to repair the data, and the IC maker releases the access restriction by the permanent access permission means. However, in this case, the authority must have a means to confirm that the client is indeed the owner of the IC memory card. A personal signature may be written on the surface of the IC card.

It is recommended that a cautious user write a password on an IC memory card using a trusted device such as a personal computer at home. This is because in a public device, for example, a password input from a keyboard may be modified so as to be separately stored in a storage device in the device. If a plurality of passwords are written in the storage area 11 and the password is not newly written again when the access restriction of the IC memory card is released by a public device (if the password is left automatically deleted), at least An IC memory card can be used in a public device only one less than the number of passwords written in advance, and high security is maintained. The last password is used to rewrite the password on a personal computer at home.

The password / write data generation means described with reference to FIGS. 20 and 23 does not disable the access restriction even if a third party attempts unauthorized access (rewriting without automatic password erasure). Yes) selection function may be provided. Alternatively, as described above, it is convenient to add a function that can arbitrarily prohibit / release write access and / or read access to a user who does not know the password.

<< Application Example 2 >> A function corresponding to so-called “confidentiality” can be realized. B uses IC memory card instead of written A
Mail to. Upon receiving the IC memory card, A asks B for the password by telephone or the like, releases the access restriction of the IC card by the password access permitting means, and reads the contents. If the access restriction release fails, it can be determined that the password in the nonvolatile memory device has been lost due to retention failure, the password access permission circuit has failed, or the password has been automatically erased due to some unauthorized access during mailing. . If the access restriction is correctly released by the password access permission means, it can be determined that there is almost no possibility that the data has been tampered with during mailing.

If the password access permitting means is disabled and B itself loses data and cannot be mailed again, the IC card holder requests the IC maker to repair the data, for example. The access restriction is released by the dynamic access permission means.

<< Application Example 3 >> Applicable to personal authentication. If it is necessary to authenticate person A at a remote location by communication,
The person B who gives authentication writes a password and other authentication information on the IC card of the present invention, and then
Give it to A. Only the password B and the authentication information are known. When authenticating A at a remote place, B releases the access restriction of the IC card by the password access permitting means via the communication means. Here, the password access permission means can be given only by B who knows the password. When the access restriction is released, B reads out the authentication information via the communication line, and if this matches the value set in advance by B, the communication is performed (unless the IC card is handed to another person from A). It can be authenticated that the other party is A. Further, if the password in the nonvolatile memory device is lost due to a retention failure or the like, or the password access permission circuit has failed, B releases the access restriction using the permanent access permission means and reads the authentication information. be able to. In this case, it is better to design so that the permanent access permission means can be exercised at the normal voltage.

As a modification of the application example 3, there is an information service. The IC memory card of the present invention functions as a prepaid card / information storage memory. Persons receiving information services
A receives the IC card of the present invention in exchange for money from the information service providing side B. B writes the password and the authentication information on the IC card in advance. Later, when A requests information via the communication line, B reads the IC card authentication information via the communication line by the password access permission means. If this matches B, the information is written to the IC card. The information includes, for example, game software. At the end of writing, a mode is set in which only write access is prohibited and read access is released, for example, in accordance with the means described in the above section <Another Example of WEB0 Generation Circuit>. A uses the IC card of the present invention mounted on a game machine.

It is also possible to write passwords in a number corresponding to the amount of money so that information corresponding to the amount of money can be obtained. Alternatively, write access prohibition is limited to a predetermined block area, and a write-accessible block is provided,
You may enable it to record personal information regarding a game there.

If the password in the non-volatile memory device is lost due to a retention failure or the like, or the password access permission circuit has failed, B can perform an information service using the permanent access permission means.

Although the invention made by the inventor has been specifically described based on the embodiment, it is needless to say that the present invention is not limited to the embodiment and can be variously modified without departing from the gist of the invention. No.

For example, the memory cell is not limited to a ferroelectric memory cell, but may be an EEPROM or a nonvolatile memory cell for a flash memory. The non-volatile memory device can be realized as a semiconductor integrated circuit chip or as an IC memory card on which the chip is mounted. I c
In the case of a memory card, it is not necessary to mount a data processing semiconductor integrated circuit such as a microcomputer together to improve the security of the memory chip. In the present invention, the required security is realized by the memory device itself.

[0083]

The effects obtained by typical ones of the inventions disclosed in the present application will be briefly described as follows.

Even if the normally used password access permitting means breaks down, or if the password in the storage area is lost due to some kind of failure, for example, a bad retention of the nonvolatile memory cell, a hard error, or forgetting of the password set by the user, Since the access restriction circuit can be released by the permanent access permission means, a highly reliable security function can be obtained.

Since the password is stored in the rewritable nonvolatile memory cell, for example, by changing the password each time, a simple access restriction release method by direct comparison with the input password can be adopted. Further, when the internal password and the input password do not match, a measure for preventing unauthorized access by trial and error, such as automatic deletion of the internal password, can be taken. The chip area can be reduced by adopting such a simple access restriction release method,
As a result, costs can be reduced. Therefore, a nonvolatile memory with a security function particularly suitable for a general-purpose memory chip and a general-purpose IC card can be obtained.

Since the password is stored in the rewritable nonvolatile memory cell, the security of the memory can be maintained by changing the password even if it is known to a third party.

If the internal password is erased at the time of unauthorized access, an extremely secure memory can be obtained with a simple configuration, but the access restriction can not be released by the password access permitting means. In order to cope with this, a permanent access permission means is provided so that access restriction can be released even in an emergency. If the permanent access permission means is set outside the normal use conditions, it is possible to avoid the danger of unintentionally exercising the means by a user who does not know the existence, and it is extremely high security and the access restriction can be released. A general-purpose memory with a low risk of being disabled can be obtained.

If the internal password is erased at the time of unauthorized access, the user can perceive that unauthorized access may have been attempted due to the inability of the password access means. This allows the user to take measures such as strengthening the security posture.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating an example of a nonvolatile memory device of the present invention.

FIG. 2 is a block diagram illustrating an example of a permanent access permission circuit.

FIG. 3 is a logic circuit diagram showing an example of a fuse state signal generation circuit.

FIG. 4 is a logic circuit diagram showing an example of a fuse state logic circuit.

FIG. 5 is a logic circuit diagram showing an example of a fuse cutting mode generation circuit.

FIG. 6 is a timing chart of generation of a fuse cut address.

FIG. 7 is a logic circuit diagram showing an example of a fuse cutting mode generating circuit that is activated only once.

FIG. 8 is a block diagram illustrating an example of a password access permission circuit.

FIG. 9 is a timing chart of generation of a password access permission signal.

FIG. 10 is a logic circuit diagram illustrating an example of a password / write data generation circuit.

FIG. 11 is a logic circuit diagram illustrating an example of a password access determination circuit.

FIG. 12 is a logic circuit diagram illustrating an example of a password latch circuit.

FIG. 13 is a logic circuit diagram showing an example of a password all-zero recognition circuit.

FIG. 14 is a circuit diagram illustrating an example of a write data selection circuit.

FIG. 15 is a circuit diagram illustrating an example of an output destination selection circuit.

FIG. 16 is a logic circuit diagram illustrating an example of an access permission circuit.

FIG. 17 is a logic circuit diagram showing an example of a password access flag generation circuit.

FIG. 18 is a logic circuit diagram showing an example of a WEB0 generation circuit.

FIG. 19 is a logic circuit diagram showing an example of the OEB0 generation circuit.

FIG. 20 is a logic circuit diagram illustrating an example of a password / write data generation circuit.

FIG. 21 is a logic circuit diagram illustrating an example of a WEB0 generation circuit.

FIG. 22 is a logic circuit diagram illustrating an example of a password access determination circuit.

FIG. 23 is a logic circuit diagram illustrating an example of a password / write data generation circuit.

[Explanation of symbols]

 A (1) to A (n) External address signal DQ (1) to DQ (s) External data signal RASB Lath address strobe bar signal CASB Column address strobe bar signal WEB Write enable bar signal OEB Output enable bar signal WEB0 Internal write enable bar signal OEB0 Internal output enable bar signal AX (1) to AX (n) X address signal AY (1) to AY (n) Y address signal AZ ( 1) to AZ (n) Fuse cutting address signal Di (1) to Di (s) Internal write data Do (1) to Do (s) Internal read data DiP (1) to DiP (s) Password write data DoP (1 ) To DoP (s) Password read data P0 Access permission signal P1 Permanent access permission signal P2 Password access permission signal XL X address timing signal YL Y address timing signal SP Fuse cut address timing signal AP Password access flag

Claims (18)

[Claims] A plurality of non-volatile memory cells rewritable by an electric signal; and a control circuit for exchanging information of the plurality of memory cells with the outside. At least a part of the access restriction means for prohibiting read and / or write, a first access permission means for releasing the access restriction, and a second access permission means for releasing the access restriction. The first access permitting means utilizes a password stored in a part of the plurality of memory cells to release the access restriction, and the second access permitting means applies the password to the plurality of memory cells. A non-volatile memory device characterized by not utilizing stored information at all. 2. The method according to claim 1, wherein the second access permission unit utilizes a plurality of storage elements that can be written only once, and a predetermined one of a plurality of states that can take a combination of storage states of the plurality of storage elements. 2. The nonvolatile memory device according to claim 1, wherein the access restriction is released when the storage element is set in one of the states. 3. The nonvolatile memory device according to claim 2, wherein said second access permitting means further includes means for limiting the operation for canceling access restriction to only one operation. 4. The non-volatile memory device according to claim 1, wherein said second access permitting means cancels access restriction by a control method which is not open to a user. 5. A memory system comprising: a plurality of nonvolatile memory cells which can be rewritten by an electric signal; and a control circuit for exchanging information of the plurality of memory cells with the outside. For at least part of
Immediately after power-on, both read and write access are prohibited, and then one of access restrictions that prohibits read and / or write based on the first information stored in a part of the plurality of memory cells is selected. And a first access permitting means for permitting rewriting of the first information related to the selection setting means and canceling the access restriction. The above rewriting permission and access restriction release
A nonvolatile memory device, which is determined based on a relationship between a password stored in a part of the plurality of memory cells and information provided from outside. 6. The apparatus according to claim 5, wherein the first access permission means performs the rewrite permission and the access restriction release when the information given from the outside matches the password. A nonvolatile memory device according to claim 1. 7. The first access permitting means, when the information given from the outside does not match the password, writes back a predetermined value to a memory cell allocated for storing the password, 7. The nonvolatile memory device according to claim 6, wherein when the read password has the predetermined value, the rewriting permission and the access restriction are not released. 8. The nonvolatile memory device according to claim 5, wherein said plurality of memory cells include a ferroelectric capacitor and a field effect transistor. 9. The first access permitting means is executed by giving the same control signal procedure as a read-modify-write command in a dynamic random access memory. At this time, externally applied write data 6. The nonvolatile memory device according to claim 5, wherein the rewriting permission and the access restriction release are performed by comparing the password with the password. 10. The nonvolatile memory device according to claim 5, wherein a plurality of sets of said password can be stored. 11. A memory system comprising: a plurality of nonvolatile memory cells rewritable by an electric signal; and a control circuit for exchanging information of the plurality of memory cells with the outside. And at least a first access permitting means for canceling the access restriction, and canceling the access restriction by the first access permitting means. Is determined based on a relationship between a password written in a part of the plurality of memory cells and information provided from outside, and the first access permitting means does not cancel the access restriction. When the decision is made, select either to always write back the specified value or to always rewrite the read password. A non-volatile memory device having a password rewriting means, wherein the selection by the password rewriting means is determined based on information written in a part of the plurality of memory cells. 12. The apparatus according to claim 11, wherein said first access permitting means cancels said access restriction when said externally provided information matches said password. Non-volatile memory device. 13. The nonvolatile memory device according to claim 11, wherein said selection by said password rewriting means is performed by utilizing a part of information of said read password. 14. The non-volatile memory device according to claim 11, wherein the plurality of memory cells include a ferroelectric capacitor and a field effect transistor. 15. The first access permitting means is executed by giving the same control signal procedure as a read-modify-write command in a dynamic random access memory. In this case, externally applied write data 12. The access restriction is released by comparing the password with the password.
A nonvolatile memory device according to claim 1. 16. The nonvolatile memory device according to claim 11, wherein a plurality of sets of said password can be stored. 17. The first access permitting means, when the access restriction release by the first access permitting means fails due to an erroneous procedure, if the power is not turned on again,
Next, retry prevention means includes a retry prevention means for preventing the access restriction from being released even when retrying the access restriction release by the first access permission means in a correct procedure. It has a second state, is in the first state immediately after power-on, and once transitions from the first state to the second state, cannot return to the first state again unless power is turned on again. The nonvolatile memory device according to claim 11, comprising a circuit. 18. A memory device comprising: a plurality of non-volatile memory cells rewritable by an electric signal; and a control circuit for exchanging information of the plurality of memory cells with the outside. And at least a first access permitting means for canceling the access restriction, and canceling the access restriction by the first access permitting means. Is determined based on a relationship between a password written in a part of the plurality of memory cells and information provided from outside, and further, the first access permission unit reads the password from the memory cell, Change and rewrite part of the information of the read password regularly, or rewrite the read password as it is Password rewriting means for selecting any one of the plurality of memory cells, and the selection by the password rewriting means is performed between information written in a part of the plurality of memory cells and information given externally. A nonvolatile memory device, which is determined based on a relationship.