MXPA01002352A

MXPA01002352A - Access-protected data carrier

Info

Publication number: MXPA01002352A
Application number: MXPA/A/2001/002352A
Authority: MX
Inventors: Harald Vater; Hermann Drexler
Original assignee: Giesecke & Devrient Gmbh
Priority date: 1998-09-11
Filing date: 2001-03-05
Publication date: 2002-02-26

Abstract

The invention relates to a data carrier, comprising a semiconductor chip (5) with at least one memory. An operating programme which is capable of performing at least one operation (h) is filed in the memory. In order to prevent unauthorised access to the data (x) that is processed with said operation (h), both this data and the operation (h) itself are defamiliarised. The defamiliarisation of the data (x) and the defamiliarisation of the operation (h) are co-ordinated in such a way that the either the output data (y) of the non-defamiliarised operation (h) are produced with the defamiliarised operation (hR1R, hR1R2) or defamiliarised output data (y o R2) from which the output data (y) can be determined.

Description

DATA CARRIER WITH PROTECTED ACCESS This invention is related to a data carrier having a sem-driver chip in which secret data is stored. The invention relates in particular to a smart card. Data carriers containing chips are used in a large number of different applications, for example, to conduct monetary transactions, pay for goods or services, or as a means of identification for admission or access controls. In all applications, the data carrier chip normally processes secret data that must be protected from access by unauthorized third parties. Said protection is ensured, among other things, by giving the internal structures of the cipp with very small dimensions so that it is very difficult to access the structures in order to spy on the data processed in said structures. In order to prevent further access, one can imbue the chip into a highly adherent compound whose removal by force destroys the plate itself or at least the secret data stored within it. It is also possible to provide the semiconductor plate during its production with a protective layer that can not be removed without destroying the semiconductor plate. With corresponding technical equipment, which is extremely expensive but nevertheless fundamentally available, an attacker could possibly succeed in exposing and examining the internal structure of the chip. The exposure could be affected, for example, by special etching methods or a suitable grinding process. The structures of the chip thus exposed, such as the conductive paths, may be in contact with micro-probes or be examined by other methods to determine the signal patterns in said structures. Subsequently, one could attempt to determine from the detected signals secret data of the data bearer, such as secret keys, in order to be able to use them for manipulation purposes. One could likewise selectively try to influence the signal patterns in the exposed structures by means of micro probes.

The invention is based on the problem of protecting secret data present in the chip of a data carrier of unauthorized access. This problem is solved by the characteristic combinations of claims 1 and 9. The inventive solution does not seek, as the prior art, to avoid exposure of the internal structures of the chip and the assembly of microprobes. Instead, steps are taken to make it difficult for a potential attacker to infer secret information from any intercepted signal pattern. Said measures consist, in accordance with the intion, in manipulating relevant security operations so that the secret data used to perform said security relevant operations can not be determined without including more secret information. For this purpose, the relevant security operations are disguised or falsified with the help of appropriate functions before execution. In order to prevent or even prevent in particular a statistical evaluation in case of multiple execution of the relevant security operations, a random component enters the masking function. As a result, an attacker can not determine the secret data of any of the intercepted data streams. The relevant safety operation will be represented in the following by the function h that graphs the input data x in the data and output, that is, y = h (x). To prevent the secret entry data x from being spied on, the invention provides the disguised function hR? R2 to be determined, for the following to hold: yR2 = hR1R2 (xR). The relevant security operation is now performed through the disguised function hR1R2 whose input data is not data x real secrets but secret data disguised x <;?) Ri generated by the data x authentic secrets combined with the random number? _. Without knowing the random number. R_ one can not determine the data x authentic secrets of secret data disguised x®?]. As a result of the application of the disguised function hR1R2 to secret data disguised x Rx one can obtain disguised output data and ®R2. From disguised output data and ®R2 one can determine the data and output by a suitable combination.

Before each new execution of the relevant security function one can set new random numbers. R_ and R 2 from which a new disguised function h R can be determined. R 2 in each case. Alternatively, a plurality of disguised functions h R? R 2 can be permanently stored, one of which is randomly selected before the execution of the relevant security operation. It is especially advantageous to use two functions hR? > R 2 and h R ¡R 2,, random numbers R] _ 'and R 2' being the inverse values of the random numbers _. and R with respect to the type of combination selected for masking. In a further variant, the random numbers R? and R2 can also be identical. In particular, the random numbers J? _ And R 2 can be selected statically and independently so that there is no correlation between the input and output data that can be used for an attack. If other operations are performed before or after the relevant security operation h in question here, the random numbers R and R 2 can also be used to disguise the processed data with other operations.

The inventive solution can be used especially and advantageously for relevant security operations that contain non-linear functions. With non-linear functions one can not apply known protective measures based on the masking of secret data before the execution of the functions. The known protective measures presume that the functions are linear with respect to the masking operations so that the in-masking can be undone after the execution of the functions. However, in the inventive solution, not only are the secret data falsified or disguised but also the relevant security operations that process the secret data. The masking of the secret data and the relevant security operations are coordinated so that the authentic secret data can be derived from the secret data disguised after the execution of the relevant security operations. The coordination between the masking of the secret data and the relevant security operations can be carried out especially in a simple way if the relevant security operations are carried out in the form of tables, called search tables.

In the tables mentioned above, each input value x has an output value and associated with them. The functions performed by the tables are executed by means of search output values and they belong to the particular input values x. The invention will be explained below with reference to the modalities shown in the figures, in which: Figure 1 shows a smart card in a top view, Figure 2 shows a widely enlarged detail of the chip of the smart card shown in the Figure 1 in a top view, Figures 3a, 3b, 3c and 3d show representations of the search tables. Figure 1 shows a smart card 1 as an example of the data carrier. The smart card 1 is composed of a card body 2 and a chip module 3 fixed in a specially provided space in the body 2 of the card. The essential components of the chip module 3 are contact surfaces 4 to produce an electrical connection with an external device, and the chip 5 electrically connected to the contact surfaces 4. As an alternative or in addition to the contact surfaces 4, a coil not shown in Figure 1 or another transfer means may be present to produce a communication link between the chip 5 and an external device. Figure 2 shows a greatly enlarged detail of the chip 5 of Figure 1 in a top view. The special feature of Figure 2 is that the active surface of the chip 5 is shown, ie, it does not show all the layers generally protecting the active layer of the chip 5. In order to obtain information about the signal patterns inside the chip, one can, for example, contact the exposed structures with microprobes. The microprobes are very thin needles which are brought into electrical contact with the exposed structures 6, for example, conductive paths by means of a precision positioning device. The signal patterns collected by the microprobes are processed with suitable evaluation and measurement devices with the aim of inferring secret chip data. The invention makes it very difficult or almost impossible for an attacker to have access to the particular secret data of the chip even if it has been able to remove the protective layer of the chip 5 without destroying the circuit and making contact with the exposed structures of the chip 5 with microprobes or intercept them in some way or another. The invention, of course, is also effective if an attacker has access to the signal patterns of the chip 5 in some other way. Figures 3a, 3b, 3c and 3d show simple examples of search tables in which the input and output data each have a length of 2 bits. All table values are represented as binary data. The first line establishes the data x of input, and the second line of data and output associated with them, in the particular column. Figure 3a shows a search table for an undisguised function h. Figure 3a indicates that the output value x = 00 has an output value h (x) = 01 associated with it, the input value 01, the output value 11, the input value 10, the output value 10, and the input value 11, the output value 00. The search table according to Figure 3a represents the non-linear function h that must be executed within the framework of a relevant security operation. However, according to the invention, one does not use the search table shown in Figure 3a by itself to execute the relevant security operation, but instead derives a search table disguised from the search table according to the Figures 3b, 3c and 3d. Figure 3d shows an intermediate step to determine the search table in disguise. The search table according to Figure 3b was generated from the search table according to Figure 3a EXORING each value of the first line of the table of Figure 3a with the random number i? J = ll. In this way, when EXORar the value 00 of the first line and the first column of the table of Figure 3a with the number 11, the value 11 is produced, which is now the element of the first line and the first column of the table in Figure 3b. The remaining values of the first line of the table shown in Figure 3b are determined according to the values of the first line of the table shown in Figure 3a and the random number R_ = ll. The table shown in 1? Figure 3b can already be used as a search table in disguise to process secret data in a manner disguised with the random number R _ = 11. The result would be the clear text values that will be read in line 2 of the table in Figure 31 ). One usually accommodates the individual columns of a search table according to the ascending input data x. A given table correspondingly accommodating the table in Figure 31) is shown in Figure 3c. If the table according to Figure 3c is to be disguised additionally, or will be produced as output values equal to the disguised values instead of plain text values, one applies an additional EXOR operation with another random number.

R 2 - Figure 3d shows the result of applying said additional EXOR operation. In this operation the elements of the second line of the table according to Figure 3c each are EXORED with a random number R = 1 0. The element in the second line of the first column of the table according to Figure 3d in this way results in the EXORING of the element in the second line and the first column of the table according to Figure 3c with the random number R 2 = 1 0. The other elements of the second line of the table according to Figure 3d are formed correspondingly. The first line of the table according to Figure 3d is adopted from Figure 3c without c ambios. With the table shown in Figure 3d one can similarly determine output data disguised from disguised input data. The output data disguised in this way can be supplied to other operations to process disguised data or one can determine clear text data from them by EXORANDO with the random number R 2 = 1 0. The use of the table shown in Figure 3d makes it possible to perform non-linear operations with secret data in disguise and protect the secret data from unauthorized access. The relevant security operations themselves are also protected from unauthorized access since functions disguised in different ways can be used in each execution of the operations and the relevant security operations themselves can not be inferred even if the disguised functions can be determined. However, after conversion to clear text, both the original security relevant operations and the operations performed with the help of disguised functions produce identical results. For example, the input value 00 produces an output value 01 according to the table in Figure 3a. In order to check if the table shown in Figure 3b shows the same output value, one must first EXOR the input value 00 with the random number, R_ = 11. As a result of the combination, one gets the value 11. With the table of Figure 3d, the input value 11 in the same way produces the output value 11. To be able to determine the clear text of the output value one must EXOR the output value with the random number R 2 = 1 0. As a result of the combination, one obtains the value 01 that exactly matches the determined value with the help of the table shown in Figure 3a. By disguising the relevant safety operations or input values, not only EXORATION can be performed but also by other suitable types of combination, for example, modular addition. Furthermore, the invention is not limited to the application of non-linear functions represented by means of search tables. One can also use any nonlinear and even linear function for which an appropriate disguised function can be determined.

Claims

1. Data carrier having a semiconductor chip with at least one memory containing an operation program that is capable of executing at least one operation (h), the execution of the operation. { h) which requires the input data (x) and the execution of the operation () that generates output data (y), characterized in that - the operation (h) is disguised before its execution, the operation in disguise. { h R 1) is executed with the input data disguised (x ® R i), and the masking of the operation () and the input data (x) is coordinated in such a way that the execution of the disguised operation (n_. _.) with the input data disguised (x _> R _.) produces output data (y) identical to the output data (y) determined when executing the undisguised operation () with the input data not disguised (x.

2. Data pointer according to claim 1, characterized in that at least one random number. { R i) enters the determination of the disguised operation. { hR1) and the input data disguised (x <8> Ri).

3. Data carrier according to any of the preceding claims, characterized in that the determination of the disguised operation (hR1) and the disguised input data (x <8> Ri) is carried out with the aid of EXOR operations.

4. Data carrier according to any of the preceding claims, characterized in that the operation is disguised. { hR?) is stored permanently in advance in the data carrier.

5. Data carrier according to the indication 4, characterized in that at least two disguised operations (fi_, hR1,) are stored permanently in the data carrier in advance and one of the stored disguised operations. { h R1, hR1,) is randomly selected when a disguised operation is to be executed.

6. Data carrier according to any of claims 1 to 3, characterized in that the disguised operation (h R?) Is recalculated before execution and at least one random number. { R i) is redetermined for the calculation.

Data carrier according to any of the preceding claims, characterized in that the operation () is carried out by means of a table stored in the data carrier that establishes an association between the input data (x) and the output data (Y) .

8. Data carrier according to claim 7, characterized in that the masking of the input data (x) contained in the table is effected by combining with at least one random number (R i) -

9. Data carrier that has a semiconductor chip with at least one memory that contains an operation program that is capable of executing at least one operation (), execution of the operation (h) requires data input (x) and execution of the operation (h) generates data of: output (y), characterized in that the operation () is disguised before its execution, the disguised operation (hR?) is executed with the data of input disguised (x <8> Ri), the masking of the operation (h) and the input data (x) is coordinated in such a way that the execution of the disguised operation (hRj) with the input data disguised ( x <E> Ri) produces output data (y) identical to the output data (y) determined by executing the non-disguised operation () with the non-disguised input data (x), and the output data not disguised (and) can be determined from the disguised exit data (and ® R2) with the help a of the data. { R2) used to disguise the operation (h).

10. Data carrier according to claim 9, characterized in that at least one random number. { Ri) enters the determination of the input data disguised (x ® £ __) and at least two random numbers (Ri, R2) enter the determination of the disguised operations (hR R2).

11. Data carrier according to any of claims 9 and 10, characterized in that the determination of the operation in disguise. { hR? R2) and the input data disguised (x <2> Ri) is carried out with the help of EXOR operations.

12. Data carrier according to any of claims 9 to 11, characterized in that the disguised operation [R1R2) is stored permanently in advance in the data carrier.

13. Data carrier according to claim 12, characterized in that at least two disguised operations (hR1R, hR1 'R2,) are stored permanently in advance in the data carrier and one of the stored disguised operations [R? R2, hR, R2) is randomly selected when a disguised operation is executed.

14. Data bearer according to the rei indication 13, characterized in that the random numbers (R.?, R2) to determine the first disceding operation (hR1R2) are inversed to the random numbers. { Ri ', R') to determine the second operation in disguise. { hR1 • R2 •) with respect to the combination used to determine the disguised operations (hR? R, _? _ - _? _? ').

15. Data carrier according to any of claims 9 to 11, characterized in that the operation is disguised. { hR? R) can be recalculated before execution and the random numbers (Ri, R) can be re-determined for the calculation.

16. Data carrier according to any of claims 9 to 15, characterized in that the operation. { h) is carried out by a table stored in the data carrier that establishes an association between the input data (x) and the output data (y).

17. Data carrier according to claim 16, characterized in that the masking of the input data (x) contained in the table is effected by combining with at least one random number (R i) the masking of the output data ( and) contents of the table is effected by combining with at least one additional random number (R 2).

18. Data carrier according to any of the preceding claims, characterized in that the operation (h) is a non-linear operation with respect to the combination used to disguise the operation (h).