WO2007049181A1 - Semiconductor device and method for preventing attacks on the semiconductor device - Google Patents

Semiconductor device and method for preventing attacks on the semiconductor device Download PDF

Info

Publication number
WO2007049181A1
WO2007049181A1 PCT/IB2006/053798 IB2006053798W WO2007049181A1 WO 2007049181 A1 WO2007049181 A1 WO 2007049181A1 IB 2006053798 W IB2006053798 W IB 2006053798W WO 2007049181 A1 WO2007049181 A1 WO 2007049181A1
Authority
WO
WIPO (PCT)
Prior art keywords
semiconductor device
initialization
information item
attack
stored information
Prior art date
Application number
PCT/IB2006/053798
Other languages
French (fr)
Inventor
Joachim Garbe
Soenke Ostertun
Original Assignee
Nxp B.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nxp B.V. filed Critical Nxp B.V.
Priority to US12/090,732 priority Critical patent/US20090049548A1/en
Priority to JP2008537253A priority patent/JP2009512952A/en
Priority to EP06809608A priority patent/EP1943604A1/en
Publication of WO2007049181A1 publication Critical patent/WO2007049181A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/77Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2137Time limited access, e.g. to a computer or data

Definitions

  • the invention relates to a semiconductor device which carries out an initialization following an attack on the semiconductor device, and to a corresponding method.
  • semiconductor devices are used in particular as chips for smart cards.
  • information items which are intended to be able to be called up only by authorized persons. These information items are, for example, secret information items which serve to identify the user or to authorize said user. Such information items ought not to be accessible from outside, since they can otherwise be put to misuse. It is absolutely necessary to protect key data in particular, which serve to encrypt information items carried on the outside.
  • Attacks on the security or integrity of such products consist inter alia in exposing the chip to operating conditions which lie outside its specification, that is to say for example with regard to temperature, light, supply voltage, clock rate, or in applying voltage spikes to the chip.
  • the intention is to disrupt the functioning of the smart card chip in such a way that it passes into an uncontrolled operating state and carries out uncontrolled, unintended operations, from which information concerning the stored protected data can be derived.
  • sensors which detect disruptions in the operating conditions.
  • sensors are, for example, voltage sensors, temperature sensors, frequency sensors and detectors for light and voltage spikes.
  • One measure for protecting against attacks consists in that the chip destroys itself if it detects a disruption in the operating conditions, and thus blocks any possible outputting of the stored data.
  • a corresponding information item could be permanently written to a memory.
  • the disadvantage with both measures is that the chip becomes permanently unusable following a detected disruption in the operating conditions, that is to say for example even if the disruption is only random in nature, that is to say is non- malicious, or if the attacker gives up after a failed attack.
  • An alternative protective measure which avoids this disadvantage consists in that the chip automatically initializes following the detection of a disruption, in order thus to return to a defined operating state.
  • the disadvantage with this measure is that the chip is exposed to attacks again after it has run through the initialization sequence. Since the duration of such an initialization is typically of the order of magnitude of only 100 microseconds, the attacks can be carried out very often within a short time, that is to say with high frequency. The attacker can thus hope that the smart card chip will ultimately disclose the stored information if he just attacks the chip a sufficient number of times. This is known as a "brute force attack".
  • the object of the present invention is to provide a semiconductor device and a method which at least partially avoids the aforementioned disadvantages.
  • attack in this context covers any type of influencing of the semiconductor device which is able to impair the security of information stored therein.
  • Such attacks include in particular the measures mentioned above, for example exposing the semiconductor device to operating conditions which lie outside its specification.
  • the invention accordingly provides a semiconductor device which carries out an initialization of the semiconductor device following an attack, wherein an information item relating to the attack can be stored by the semiconductor device prior to the first initialization, and wherein the stored information item relating to the attack remains intact following the initialization of the semiconductor device.
  • the information item which is still available after an initialization indicates that an attack took place on the semiconductor device prior to the initialization.
  • This information item can be used, once initialization has taken place, to commence further measures for preventing a renewed attack on the semiconductor device.
  • a semiconductor device is advantageously provided which greatly reduces the repetition rate of attacks on the security of the semiconductor device and thus increases the security of stored data without destroying the semiconductor device.
  • the stored information item remains intact only for a predetermined period of time. This means that the semiconductor device can automatically return to a normal operating state once the period of time has elapsed.
  • This period of time can furthermore be predefined.
  • the stored information item is used to trigger a further initialization of the semiconductor device.
  • an endless loop of initializations can be carried out. During the initialization operations, attacks on the semiconductor device are not possible.
  • the stored information item remains intact for a predetermined period of time following disconnection of the semiconductor device from a power supply.
  • the information item relating to the fact that an attack has taken place on the semiconductor device then continues to be available even following disconnection of the semiconductor device from a power supply. If the semiconductor device is reconnected to the power supply within the predetermined period of time, this information item can be used to trigger a further initialization, which once again can lead to an endless loop of initializations, whereby further attacks on the semiconductor device can be prevented in a particularly effective manner.
  • the semiconductor device comprises means for storing the information item, preferably a capacitive element.
  • means for charging the capacitive element and means for reading the charge status of the capacitive element are provided.
  • the predetermined period of time is preferably defined by the discharge current of the capacitive element.
  • the discharge current is passed via a consumer, preferably a diode.
  • a consumer preferably a diode.
  • the semiconductor device is available again after a certain length of time, said length of time being dependent on the discharge time of the capacitive element.
  • the discharge time can be set to be very high using diodes with very low leakage currents.
  • the consumer is protected by metal. Increased, undesired leakage currents due to manipulated light irradiation on the diode are thus avoided.
  • the semiconductor device comprises means for refreshing the charge of the capacitive element following an initialization of the semiconductor device.
  • the charge present in the capacitive element following an initialization of the semiconductor device can be refreshed after a predetermined number of attacks or a predetermined type of attack on the semiconductor device. It is thus possible to effectively prevent the situation whereby individual influences, which are not of a malicious nature, trigger continuous initializations of the semiconductor device.
  • the information item relating to the number or type of attacks can be stored in additional storage means.
  • the semiconductor device comprises at least one sensor for detecting an attack on the semiconductor device.
  • the means for storing the information item comprise a plurality of capacitive elements.
  • a plurality of information items relating to attacks can be stored, wherein the information items may originate from different sensors.
  • the semiconductor device is an integrated circuit.
  • the invention also encompasses a smart card comprising at least one semiconductor device according to the invention.
  • the invention furthermore provides a method for preventing an attack on a semiconductor device, comprising the following steps:
  • a further initialization can be carried out.
  • the stored information item is refreshed.
  • the stored information item preferably remains intact for a predetermined period of time following disconnection of the semiconductor device from a power supply.
  • the information item stored in the storage device is erased from the storage device within a predefined period of time.
  • the semiconductor device is then available again.
  • FIG. 1 shows a block circuit diagram of the semiconductor device according to the invention.
  • Fig. 2 shows a circuit diagram for writing information items.
  • Fig. 3 shows a circuit diagram for reading information items.
  • Fig. 4 shows a flowchart of the method according to the invention.
  • the text below describes an example of embodiment in which the semiconductor device is configured as a smart card chip.
  • the smart card chip comprises means which store an information item relating to an attack.
  • the information item may originate for example from the reaction of one of the aforementioned sensors. The reaction of such a sensor leads to an initialization of the smart card chip.
  • this information item relating to an attack on the smart card chip continues to be available even after an initialization has taken place. Once initialization has taken place, these information items are read and used to trigger a further initialization. This gives rise to an endless loop of initializations, as a result of which any renewed attack on the smart card chip is blocked.
  • the stored information item relating to the attack continues to remain intact for a predetermined period of time before it is lost.
  • This period of time preferably lies in the order of magnitude of one second. This ensures that a smart card chip can be made to function again relatively quickly following a non-malicious disruption which has nevertheless been detected as an attack. On the other hand, however, this time is around 10 000 times longer than that of a customary initialization, as a result of which the frequency of attacks is reduced by the same factor.
  • the circuit comprises a capacitive element for storing the information item relating to the attack in the form of a charge.
  • the circuit which both stores the charge and reads the charge status, is designed in such a way that, if the supply voltage is switched off, the charge is lost only through the leakage current of a small diode.
  • layout measures such as for example the shielding of the diode with a metal layer, it is possible to prevent it from being possible for the leakage current to be manipulated from outside, for example by means of light irradiation.
  • the circuit can also be designed in such a way that not only does it automatically check the charge status of the capacitive element following an initialization, but it also automatically refreshes any existing charge in order to achieve again the predetermined storage time without a supply voltage.
  • One embodiment of the present invention is shown in Figs. 1 to 3.
  • Fig. 1 shows a block circuit diagram of the semiconductor device according to the invention with the capacitor 50, which serves as a memory location for one bit, and a circuit block 100 for writing to the memory location and a circuit block 200 for reading from the memory location, that is to say for reading the charge status of the capacitor 50.
  • Fig. 2 shows a circuit diagram of the circuit block 100 for writing to the capacitor 50.
  • Vdd of the semiconductor device When the supply voltage Vdd of the semiconductor device is switched on, one terminal of the storage capacitor 50 is also at Vdd. The other terminal is the node 67 on which charge can be stored. It is also brought capacitively to almost Vdd potential, since the storage capacitance is large compared to all the other capacitances on this node 67. This is the unwritten state.
  • this node 67 is placed at approximately 0 Volt. This is effected via the diode 120 in Fig. 2 when the node 152 is at 0 Volt. In this case, 0 Volt is not quite achieved.
  • the other transistors in Fig. 2 have purely a logic function and define the conditions under which a write operation takes place.
  • the transistors 111, 112, 109 and 110 form a latch which can be set and reset via the node 151.
  • the write status is Vdd at 151.
  • the transistor 108 ensures that the memory bit is reset after the semiconductor device is started, since here the signal 61 (power-on-reset) is at Vdd for a short time.
  • a write operation can then be initiated via the transistor 107 when the gate potential 150 thereof is at 0 Volt.
  • the node 150 can be set to 0 Volt by Vdd at the signal 62 (programming input) via the transistor 104, or by Vdd at the signal 64 (Qin) via the transistor 105 if the transistor 106 is conducting simultaneously through Vdd and the signal 60 (auto-refresh).
  • the transistors 101 and 102 place the node 150 at Vdd, which means "non- writing", when the signal 62 is at 0 Volt and at the same time the signal 60 is at 0 Volt. If the signal 60 is at Vdd, Vdd is applied to the node 150 via the transistor 103 when the signal 64 is at 0 Volt.
  • Fig. 3 shows a circuit diagram of the circuit block 200 for reading the charge status of the capacitor.
  • the read result is at the output 65.
  • the output 65 is at Vdd, the bit was written.
  • the node 250 is then at 0 Volt.
  • the transistors 201, 205, 204 and 208 form a latch, which stores the read result. It can be set or reset only when the transmission gate from the transistors 202 and 203 is conducting, which is the case when the signal 61 is at Vdd and thus the inverted signal 252 is at 0 Volt, that is to say during an initialization process.
  • the transistors 207 and 206 block the right-hand branch of the latch so that, when the latch is set, no cross-currents flow.
  • the node 251 is brought to approximately 0.5 Volt via the transistor 209 and the transmission gate, since a threshold voltage drops at the transistor 210. If the signal 66 is considerably below Vdd, the transistor 201 opens and attempts to raise the potential at the node 251. The lower the signal 66, the sooner a Vdd potential will result at the node 251 once the transmission gate has been switched off.
  • the transistor 210 serves only to raise the switching threshold and is not absolutely necessary.
  • the signal 62 allows programming of the memory bit. As a result, it is possible to fix an alarm signal in the event of detecting an unauthorized state of the semiconductor device. As long as the supply voltage Vdd is present, the memory bit - the charged capacitor 50 - remains set. Resetting or discharging of the capacitor 50 is not provided in this embodiment and can take place only by way of an initialization (signal 61 at Vdd). However, during an initialization, the memory content of the capacitor 50 is at the same time read and latched. As can be seen in Fig. 1, this read result 65 is at the same time the input 64 of the write circuit 100.
  • the read result 65 is thus used as input 64 for the write operation.
  • the abovementioned endless loop of initializations is produced.
  • the significant advantage lies in the fact that it is not possible for an attacker to carry out an attack on the smart card chip between two initializations, since the smart card chip is initialized at the same time as the capacitor 50 is read.
  • the auto-refresh signal 60 it is possible for the auto-refresh signal 60 to be activated only after multiple unauthorized accesses or a certain combination of unauthorized accesses. As a result, problems caused by individual random disruptions can be prevented. If the signal 60 were at 0 Volt, only an explicit setting of the memory bit through signal 62 to Vdd would be possible; otherwise one initialization is sufficient to erase the bit.
  • Fig. 4 shows a flowchart of the method according to the invention.
  • step 302 a check is made to ascertain whether this is an attack. This check can be carried out for example by checking whether a number of attacks have taken place within a predetermined period of time. Using this procedure, it is possible to achieve a situation whereby individual random disruptions are not detected as unauthorized accesses. Of course, it is also possible for any access to be deemed to be an unauthorized access. If no unauthorized access exists, the method ends.
  • an information item relating to the attack is stored in the following step 303.
  • step 304 an initialization of the semiconductor device is carried out. During this initialization, the semiconductor device is reset to its original state. The information item relating to the attack which was stored in step 303 is excluded from this resetting operation, and this information item is thus available even after the initialization.
  • step 306 in which the information item relating to the attack which was stored in step 303 is read. If such an information item is present, which is checked in step 307, the method checks whether this information item should be refreshed, which takes place in the following step 309.
  • the method returns to step 304 and carries out a further initialization of the semiconductor device.
  • an endless loop of initializations is produced, which makes it very difficult for an attacker to obtain information from the smart card chip, since the initialization phase is greatly extended by the successive initializations and attacks are possible only between two initialization phases.
  • the circuit design as shown in Fig. 1 to Fig. 3 ensures that the stored information item remains intact for a certain period of time following removal of the supply voltage, since the capacitor 50 is discharged only slowly via the leakage currents of the diode 120. If the supply voltage is applied again to the semiconductor device within a certain period of time, a residual charge of the capacitor 50 may be sufficient to refresh said charge in step 309 and achieve again the full charge time. An attack on the smart card chip is thus not possible even after briefly removing the smart card chip from the supply voltage.
  • the method can be continued from step 308 with step 311 by discharging the capacitor, specifically when no refreshing of the stored information item is to take place. The method continues with the initialization step 304. With this embodiment, therefore, following an attack on the semiconductor device, the latter is available again after the capacitor 50 has been discharged, without having to disconnect the supply voltage from the semiconductor device.
  • One significant advantage of the invention is that attacks on the security of a smart card are made much more difficult without there being a risk of permanent functional disruption. Furthermore, it is possible to conceal such a circuit in the usual chip logic of a smart card chip. Security circuits which are located in the general logic part of a smart card chip are much more difficult to discover and manipulate than analog circuits which are located separately in an analog block. Another significant advantage is that the space requirement and thus the costs for such a circuit are very low.

Abstract

The invention relates to a method and to a semiconductor device, comprising means for detecting an unauthorized access to the semiconductor device, wherein the semiconductor device carries out an initialization of the semiconductor device following detection of an unauthorized access, wherein an information item relating to the unauthorized access can be stored by the semiconductor device prior to the initialization, and wherein the stored information item relating to the unauthorized access remains intact following the initialization of the semiconductor device. It is advantageously provided that the stored information item remains intact for a predetermined period of time following disconnection of the semiconductor device from a power supply.

Description

SEMICONDUCTOR DEVICE AND METHOD FOR PREVENTING ATTACKS ON THE SEMICONDUCTOR DEVICE
The invention relates to a semiconductor device which carries out an initialization following an attack on the semiconductor device, and to a corresponding method. Such semiconductor devices are used in particular as chips for smart cards. Typically stored on smart card chips are information items which are intended to be able to be called up only by authorized persons. These information items are, for example, secret information items which serve to identify the user or to authorize said user. Such information items ought not to be accessible from outside, since they can otherwise be put to misuse. It is absolutely necessary to protect key data in particular, which serve to encrypt information items carried on the outside. Attacks on the security or integrity of such products consist inter alia in exposing the chip to operating conditions which lie outside its specification, that is to say for example with regard to temperature, light, supply voltage, clock rate, or in applying voltage spikes to the chip. As a result, the intention is to disrupt the functioning of the smart card chip in such a way that it passes into an uncontrolled operating state and carries out uncontrolled, unintended operations, from which information concerning the stored protected data can be derived.
For example, it is possible for attack purposes to erase the security bit of the PIC 16C84 microcontroller by setting the supply voltage to Vpp -0.5 V (programming voltage). This is because some random number generators which are also located on the smart card chip increasingly generate the value 1 when the supply voltage is reduced slightly.
To protect against such attacks, it is known to equip smart cards with sensors which detect disruptions in the operating conditions. Such sensors are, for example, voltage sensors, temperature sensors, frequency sensors and detectors for light and voltage spikes. One measure for protecting against attacks consists in that the chip destroys itself if it detects a disruption in the operating conditions, and thus blocks any possible outputting of the stored data. Alternatively, a corresponding information item could be permanently written to a memory. The disadvantage with both measures is that the chip becomes permanently unusable following a detected disruption in the operating conditions, that is to say for example even if the disruption is only random in nature, that is to say is non- malicious, or if the attacker gives up after a failed attack.
An alternative protective measure which avoids this disadvantage consists in that the chip automatically initializes following the detection of a disruption, in order thus to return to a defined operating state. The disadvantage with this measure is that the chip is exposed to attacks again after it has run through the initialization sequence. Since the duration of such an initialization is typically of the order of magnitude of only 100 microseconds, the attacks can be carried out very often within a short time, that is to say with high frequency. The attacker can thus hope that the smart card chip will ultimately disclose the stored information if he just attacks the chip a sufficient number of times. This is known as a "brute force attack".
The object of the present invention is to provide a semiconductor device and a method which at least partially avoids the aforementioned disadvantages.
This object is achieved by the semiconductor device as claimed in claim 1 and by the method as claimed in claim 18.
The term "attack" in this context covers any type of influencing of the semiconductor device which is able to impair the security of information stored therein. Such attacks include in particular the measures mentioned above, for example exposing the semiconductor device to operating conditions which lie outside its specification.
The invention accordingly provides a semiconductor device which carries out an initialization of the semiconductor device following an attack, wherein an information item relating to the attack can be stored by the semiconductor device prior to the first initialization, and wherein the stored information item relating to the attack remains intact following the initialization of the semiconductor device.
The information item which is still available after an initialization indicates that an attack took place on the semiconductor device prior to the initialization. This information item can be used, once initialization has taken place, to commence further measures for preventing a renewed attack on the semiconductor device.
As a result, a semiconductor device is advantageously provided which greatly reduces the repetition rate of attacks on the security of the semiconductor device and thus increases the security of stored data without destroying the semiconductor device. Preferably, the stored information item remains intact only for a predetermined period of time. This means that the semiconductor device can automatically return to a normal operating state once the period of time has elapsed.
This period of time can furthermore be predefined. In one preferred embodiment, following an initialization of the semiconductor device, the stored information item is used to trigger a further initialization of the semiconductor device. As a result, an endless loop of initializations can be carried out. During the initialization operations, attacks on the semiconductor device are not possible.
Preferably, the stored information item remains intact for a predetermined period of time following disconnection of the semiconductor device from a power supply. The information item relating to the fact that an attack has taken place on the semiconductor device then continues to be available even following disconnection of the semiconductor device from a power supply. If the semiconductor device is reconnected to the power supply within the predetermined period of time, this information item can be used to trigger a further initialization, which once again can lead to an endless loop of initializations, whereby further attacks on the semiconductor device can be prevented in a particularly effective manner.
In a further refinement, the semiconductor device comprises means for storing the information item, preferably a capacitive element.
In a further refinement, means for charging the capacitive element and means for reading the charge status of the capacitive element are provided.
The predetermined period of time is preferably defined by the discharge current of the capacitive element.
In one preferred embodiment, the discharge current is passed via a consumer, preferably a diode. On account of the discharging of the capacitive element, e.g. via the leakage current of a diode, the semiconductor device is available again after a certain length of time, said length of time being dependent on the discharge time of the capacitive element. As a result, different requirements in terms of security can be implemented. For smart card chips with very high security requirements, for example, the discharge time can be set to be very high using diodes with very low leakage currents.
Preferably, the consumer is protected by metal. Increased, undesired leakage currents due to manipulated light irradiation on the diode are thus avoided.
The semiconductor device comprises means for refreshing the charge of the capacitive element following an initialization of the semiconductor device. In a further embodiment, the charge present in the capacitive element following an initialization of the semiconductor device can be refreshed after a predetermined number of attacks or a predetermined type of attack on the semiconductor device. It is thus possible to effectively prevent the situation whereby individual influences, which are not of a malicious nature, trigger continuous initializations of the semiconductor device. The information item relating to the number or type of attacks can be stored in additional storage means.
Preferably, the semiconductor device comprises at least one sensor for detecting an attack on the semiconductor device. In a further embodiment, the means for storing the information item comprise a plurality of capacitive elements. As a result, a plurality of information items relating to attacks can be stored, wherein the information items may originate from different sensors.
In one preferred embodiment, the semiconductor device is an integrated circuit.
The invention also encompasses a smart card comprising at least one semiconductor device according to the invention.
The invention furthermore provides a method for preventing an attack on a semiconductor device, comprising the following steps:
- detecting an attack on the semiconductor device;
- storing an information item relating to the attack on the semiconductor device; and
- carrying out an initialization of the semiconductor device, wherein the stored information item remains intact.
After carrying out the initialization, a further initialization can be carried out. Preferably, after carrying out an initialization of the semiconductor device, the stored information item is refreshed.
Furthermore, the stored information item preferably remains intact for a predetermined period of time following disconnection of the semiconductor device from a power supply.
The information item stored in the storage device is erased from the storage device within a predefined period of time. The semiconductor device is then available again.
The invention will be further described with reference to an example of embodiment shown in the drawings to which, however, the invention is not restricted. Fig. 1 shows a block circuit diagram of the semiconductor device according to the invention.
Fig. 2 shows a circuit diagram for writing information items. Fig. 3 shows a circuit diagram for reading information items. Fig. 4 shows a flowchart of the method according to the invention.
The text below describes an example of embodiment in which the semiconductor device is configured as a smart card chip. The smart card chip comprises means which store an information item relating to an attack. The information item may originate for example from the reaction of one of the aforementioned sensors. The reaction of such a sensor leads to an initialization of the smart card chip. According to the invention, this information item relating to an attack on the smart card chip continues to be available even after an initialization has taken place. Once initialization has taken place, these information items are read and used to trigger a further initialization. This gives rise to an endless loop of initializations, as a result of which any renewed attack on the smart card chip is blocked.
If the smart card chip is disconnected from the supply voltage, the stored information item relating to the attack continues to remain intact for a predetermined period of time before it is lost. This period of time preferably lies in the order of magnitude of one second. This ensures that a smart card chip can be made to function again relatively quickly following a non-malicious disruption which has nevertheless been detected as an attack. On the other hand, however, this time is around 10 000 times longer than that of a customary initialization, as a result of which the frequency of attacks is reduced by the same factor.
In the embodiment, the circuit comprises a capacitive element for storing the information item relating to the attack in the form of a charge. The circuit, which both stores the charge and reads the charge status, is designed in such a way that, if the supply voltage is switched off, the charge is lost only through the leakage current of a small diode. By using layout measures, such as for example the shielding of the diode with a metal layer, it is possible to prevent it from being possible for the leakage current to be manipulated from outside, for example by means of light irradiation.
Furthermore, the circuit can also be designed in such a way that not only does it automatically check the charge status of the capacitive element following an initialization, but it also automatically refreshes any existing charge in order to achieve again the predetermined storage time without a supply voltage. One embodiment of the present invention is shown in Figs. 1 to 3.
Fig. 1 shows a block circuit diagram of the semiconductor device according to the invention with the capacitor 50, which serves as a memory location for one bit, and a circuit block 100 for writing to the memory location and a circuit block 200 for reading from the memory location, that is to say for reading the charge status of the capacitor 50.
Fig. 2 shows a circuit diagram of the circuit block 100 for writing to the capacitor 50. When the supply voltage Vdd of the semiconductor device is switched on, one terminal of the storage capacitor 50 is also at Vdd. The other terminal is the node 67 on which charge can be stored. It is also brought capacitively to almost Vdd potential, since the storage capacitance is large compared to all the other capacitances on this node 67. This is the unwritten state.
When the memory bit is written, that is to say when the storage capacitor 50 is charged, this node 67 is placed at approximately 0 Volt. This is effected via the diode 120 in Fig. 2 when the node 152 is at 0 Volt. In this case, 0 Volt is not quite achieved. The other transistors in Fig. 2 have purely a logic function and define the conditions under which a write operation takes place. In this embodiment, the transistors 111, 112, 109 and 110 form a latch which can be set and reset via the node 151. The write status is Vdd at 151. The transistor 108 ensures that the memory bit is reset after the semiconductor device is started, since here the signal 61 (power-on-reset) is at Vdd for a short time. A write operation can then be initiated via the transistor 107 when the gate potential 150 thereof is at 0 Volt.
The node 150 can be set to 0 Volt by Vdd at the signal 62 (programming input) via the transistor 104, or by Vdd at the signal 64 (Qin) via the transistor 105 if the transistor 106 is conducting simultaneously through Vdd and the signal 60 (auto-refresh). The transistors 101 and 102 place the node 150 at Vdd, which means "non- writing", when the signal 62 is at 0 Volt and at the same time the signal 60 is at 0 Volt. If the signal 60 is at Vdd, Vdd is applied to the node 150 via the transistor 103 when the signal 64 is at 0 Volt.
Fig. 3 shows a circuit diagram of the circuit block 200 for reading the charge status of the capacitor. The read result is at the output 65. When the output 65 is at Vdd, the bit was written. The node 250 is then at 0 Volt. The transistors 201, 205, 204 and 208 form a latch, which stores the read result. It can be set or reset only when the transmission gate from the transistors 202 and 203 is conducting, which is the case when the signal 61 is at Vdd and thus the inverted signal 252 is at 0 Volt, that is to say during an initialization process. In this case, the transistors 207 and 206 block the right-hand branch of the latch so that, when the latch is set, no cross-currents flow. If the signal 66 (In) is at Vdd, the node 251 is brought to approximately 0.5 Volt via the transistor 209 and the transmission gate, since a threshold voltage drops at the transistor 210. If the signal 66 is considerably below Vdd, the transistor 201 opens and attempts to raise the potential at the node 251. The lower the signal 66, the sooner a Vdd potential will result at the node 251 once the transmission gate has been switched off. The transistor 210 serves only to raise the switching threshold and is not absolutely necessary.
The mode of operation of the circuit shown in Figs. 1 to 3 will be described below. The signal 62 allows programming of the memory bit. As a result, it is possible to fix an alarm signal in the event of detecting an unauthorized state of the semiconductor device. As long as the supply voltage Vdd is present, the memory bit - the charged capacitor 50 - remains set. Resetting or discharging of the capacitor 50 is not provided in this embodiment and can take place only by way of an initialization (signal 61 at Vdd). However, during an initialization, the memory content of the capacitor 50 is at the same time read and latched. As can be seen in Fig. 1, this read result 65 is at the same time the input 64 of the write circuit 100. When the input 60 is active, the read result 65 is thus used as input 64 for the write operation. As a result, the abovementioned endless loop of initializations is produced. The significant advantage lies in the fact that it is not possible for an attacker to carry out an attack on the smart card chip between two initializations, since the smart card chip is initialized at the same time as the capacitor 50 is read.
This arrangement is advantageous when the power supply Vdd is momentarily switched off. In this case, the capacitor 50 retains its charge and both sides are merely pulled by Vdd toward zero. A loss of charge of the capacitor 50 can take place only via the leakage currents in the diode 120. These leakage currents are very low, particularly when the diode 120 is protected against light irradiation and is of small dimensions. When the power supply Vdd is switched on again, even a small residual charge on the capacitor 50 may be sufficient, with an active auto-refresh signal 60, to bring the charge of the capacitor 50 back to the full value. In practice, storage times of seconds to minutes have been measured, depending on the size of the capacitor and the temperature.
Depending on requirements, in a further embodiment it is possible for the auto-refresh signal 60 to be activated only after multiple unauthorized accesses or a certain combination of unauthorized accesses. As a result, problems caused by individual random disruptions can be prevented. If the signal 60 were at 0 Volt, only an explicit setting of the memory bit through signal 62 to Vdd would be possible; otherwise one initialization is sufficient to erase the bit.
Of course, embodiments are also possible which allow the memory bit to be erased via a transistor. However, this transistor would shorten the storage times of the capacitor as a result of increased leakage currents.
Fig. 4 shows a flowchart of the method according to the invention. Following detection of an access in step 301, in step 302 a check is made to ascertain whether this is an attack. This check can be carried out for example by checking whether a number of attacks have taken place within a predetermined period of time. Using this procedure, it is possible to achieve a situation whereby individual random disruptions are not detected as unauthorized accesses. Of course, it is also possible for any access to be deemed to be an unauthorized access. If no unauthorized access exists, the method ends.
In the case of an attack, an information item relating to the attack is stored in the following step 303. Then, in step 304, an initialization of the semiconductor device is carried out. During this initialization, the semiconductor device is reset to its original state. The information item relating to the attack which was stored in step 303 is excluded from this resetting operation, and this information item is thus available even after the initialization.
The method continues with step 306, in which the information item relating to the attack which was stored in step 303 is read. If such an information item is present, which is checked in step 307, the method checks whether this information item should be refreshed, which takes place in the following step 309.
In the next step, the method returns to step 304 and carries out a further initialization of the semiconductor device. As a result, an endless loop of initializations is produced, which makes it very difficult for an attacker to obtain information from the smart card chip, since the initialization phase is greatly extended by the successive initializations and attacks are possible only between two initialization phases.
The circuit design as shown in Fig. 1 to Fig. 3 ensures that the stored information item remains intact for a certain period of time following removal of the supply voltage, since the capacitor 50 is discharged only slowly via the leakage currents of the diode 120. If the supply voltage is applied again to the semiconductor device within a certain period of time, a residual charge of the capacitor 50 may be sufficient to refresh said charge in step 309 and achieve again the full charge time. An attack on the smart card chip is thus not possible even after briefly removing the smart card chip from the supply voltage. In a further embodiment, the method can be continued from step 308 with step 311 by discharging the capacitor, specifically when no refreshing of the stored information item is to take place. The method continues with the initialization step 304. With this embodiment, therefore, following an attack on the semiconductor device, the latter is available again after the capacitor 50 has been discharged, without having to disconnect the supply voltage from the semiconductor device.
One significant advantage of the invention is that attacks on the security of a smart card are made much more difficult without there being a risk of permanent functional disruption. Furthermore, it is possible to conceal such a circuit in the usual chip logic of a smart card chip. Security circuits which are located in the general logic part of a smart card chip are much more difficult to discover and manipulate than analog circuits which are located separately in an analog block. Another significant advantage is that the space requirement and thus the costs for such a circuit are very low.
LIST OF REFERENCES
50 capacitor
60 auto-refresh signal 61 power-on-reset signal
62 programming signal or programming input
64 input signal or input of the write circuit
65 output signal or output of the read circuit
66 input signal or input of the read circuit 67 connection node of the capacitor
100 circuit block for writing to a capacitor (write circuit)
101-112 transistors in the write circuit
150 gate potential of the transistor 107
151 node at a potential with respect to the transistors 108, 109, 110 and 112 152 node at a potential with respect to the diode 120
200 circuit block for reading the charge status of a capacitor (read circuit)
201-210 transistors in the read circuit
250 node at a potential with respect to the transistor 205
251 node at a potential 252 inverted signal of the power-on-reset signal
301-311 method steps of the method according to the invention

Claims

1. A semiconductor device which carries out an initialization of the semiconductor device following an attack on the semiconductor device, characterized in that an information item relating to the attack can be stored by the semiconductor device prior to the initialization; and the stored information item relating to the attack remains intact following the initialization of the semiconductor device.
2. A semiconductor device as claimed in claim 1, characterized in that the stored information item remains intact only for a predetermined period of time.
3. A semiconductor device as claimed in claim 2, characterized in that the predetermined period of time can be defined.
4. A semiconductor device as claimed in claim 2 or 3, characterized in that, following an initialization of the semiconductor device, the stored information item can be used to trigger a further initialization of the semiconductor device.
5. A semiconductor device as claimed in any of the preceding claims, characterized in that the stored information item remains intact for a predetermined period of time following disconnection of the semiconductor device from a power supply.
6. A semiconductor device as claimed in any of the preceding claims, characterized in that it comprises means for storing the information item.
7. A semiconductor device as claimed in claim 6, characterized in that the storage means comprise a capacitive element, and means for charging the capacitive element and means for reading the charge status of the capacitive element are provided.
8. A semiconductor device as claimed in claim 7, characterized in that the predetermined period of time is defined by the discharge current of the capacitive element.
9. A semiconductor device as claimed in claim 8, characterized in that the discharge current is passed via a consumer, preferably a diode.
10. A semiconductor device as claimed in claim 9, characterized in that the consumer is shielded by metal.
11. A semiconductor device as claimed in any of claims 7 to 10, characterized in that it comprises means for refreshing the charge of the capacitive element following an initialization of the semiconductor device.
12. A semiconductor device as claimed in any of claims 7 to 11, characterized in that the charge present in the capacitive element following an initialization of the semiconductor device can be refreshed after a predetermined number of attacks or a predetermined type of attack on the semiconductor device.
13. A semiconductor device as claimed in any of the preceding claims, characterized in that it comprises means for detecting an attack on the semiconductor device.
14. A semiconductor device as claimed in any of claims 6 to 13, characterized in that the means for storing the information item comprise a plurality of capacitive elements.
15. A semiconductor device as claimed in claim 14, characterized in that a plurality of information items relating to attacks on the semiconductor device can be stored in the plurality of capacitive elements.
16. A semiconductor device as claimed in any of the preceding claims, characterized in that the semiconductor device is an integrated circuit.
17. A smart card comprising at least one semiconductor device as claimed in any of the preceding claims.
18. A method for protecting against attacks on a semiconductor device, comprising the following steps:
- detecting an attack on the semiconductor device;
- storing an information item relating to the attack on the semiconductor device; and
- carrying out an initialization of the semiconductor device, wherein the stored information item relating to the attack remains intact.
19. A method as claimed in claim 18, characterized in that, after carrying out an initialization of the semiconductor device, a further initialization of the semiconductor device is carried out as a function of the stored information item.
20. A method as claimed in claim 18 or 19, characterized in that, after carrying out an initialization of the semiconductor device, the stored information item is refreshed.
21. A method as claimed in any of claims 17 to 20, characterized in that the stored information item is erased after a predetermined period of time.
22. A method as claimed in any of claims 17 to 21, characterized in that the stored information item remains intact for a predetermined period of time following disconnection of the semiconductor device from a power supply.
PCT/IB2006/053798 2005-10-24 2006-10-16 Semiconductor device and method for preventing attacks on the semiconductor device WO2007049181A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US12/090,732 US20090049548A1 (en) 2005-10-24 2006-10-16 Semiconductor Device and Method For Preventing Attacks on the Semiconductor Device
JP2008537253A JP2009512952A (en) 2005-10-24 2006-10-16 Semiconductor device and method for preventing attack on semiconductor device
EP06809608A EP1943604A1 (en) 2005-10-24 2006-10-16 Semiconductor device and method for preventing attacks on the semiconductor device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP05109899 2005-10-24
EP05109899.4 2005-10-24

Publications (1)

Publication Number Publication Date
WO2007049181A1 true WO2007049181A1 (en) 2007-05-03

Family

ID=37776856

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2006/053798 WO2007049181A1 (en) 2005-10-24 2006-10-16 Semiconductor device and method for preventing attacks on the semiconductor device

Country Status (6)

Country Link
US (1) US20090049548A1 (en)
EP (1) EP1943604A1 (en)
JP (1) JP2009512952A (en)
KR (1) KR20080059321A (en)
CN (1) CN101292249A (en)
WO (1) WO2007049181A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2211288A1 (en) * 2009-01-21 2010-07-28 Giesecke & Devrient GmbH Method for executing an error routine with a processor when a data storage medium is accessed
DE102008030032B4 (en) 2007-06-14 2022-03-17 Samsung Electronics Co., Ltd. Integrated semiconductor circuit, smart card and hacking detection method

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101436982B1 (en) * 2007-10-12 2014-09-03 삼성전자주식회사 Semiconductor integrated circuit and method for testing thereof
US20100013631A1 (en) * 2008-07-16 2010-01-21 Infineon Technologies Ag Alarm recognition
EP2677327A1 (en) * 2012-06-21 2013-12-25 Gemalto SA Method for producing an electronic device with a disabled sensitive mode, and method for transforming such an electronic device to re-activate its sensitive mode
US9105344B2 (en) * 2012-12-20 2015-08-11 Intel Corporation Shut-off mechanism in an integrated circuit device
JP5641589B2 (en) * 2013-04-05 2014-12-17 Necプラットフォームズ株式会社 Tamper resistant circuit, apparatus having tamper resistant circuit, and tamper resistant method
CN108701193B (en) * 2016-02-12 2022-08-30 汉阳大学校产学协力团 Secure semiconductor chip and method for operating the same
US10192608B2 (en) * 2017-05-23 2019-01-29 Micron Technology, Inc. Apparatuses and methods for detection refresh starvation of a memory
US11880454B2 (en) * 2020-05-14 2024-01-23 Qualcomm Incorporated On-die voltage-frequency security monitor
US11790974B2 (en) 2021-11-17 2023-10-17 Micron Technology, Inc. Apparatuses and methods for refresh compliance

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0481881A1 (en) * 1990-10-19 1992-04-22 Gemplus Card International Integrated circuit with improved security access
WO2000045244A1 (en) * 1999-02-01 2000-08-03 Koninklijke Philipps Electronics N.V. Integration of security modules on an integrated circuit
WO2001003084A1 (en) * 1999-06-30 2001-01-11 Bull Cp8 Method for making secure a sensitive information processing in a monolithic security module, and associated security module
EP1220101A1 (en) * 2000-12-28 2002-07-03 STMicroelectronics Method and device for protecting against unauthorised use of integrated circuits
US20030149914A1 (en) 2002-02-05 2003-08-07 Samsung Electronics Co., Ltd. Semiconductor integrated circuit with security function
WO2004063910A1 (en) * 2003-01-10 2004-07-29 Philips Intellectual Property & Standards Gmbh Circuit arrangement and method for protecting electronic components against illicit manipulation

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH07261942A (en) * 1994-03-18 1995-10-13 Fujitsu Ltd Device for preventing illicit copy of memory card
US6289456B1 (en) * 1998-08-19 2001-09-11 Compaq Information Technologies, Inc. Hood intrusion and loss of AC power detection with automatic time stamp
US20010011947A1 (en) * 1999-05-24 2001-08-09 Muhammed Jaber System and method for securing a computer system
US6507913B1 (en) * 1999-12-30 2003-01-14 Yeda Research And Development Co. Ltd. Protecting smart cards from power analysis with detachable power supplies
JP3559498B2 (en) * 2000-04-06 2004-09-02 Necインフロンティア株式会社 Card reader device with security function
US20020007459A1 (en) * 2000-07-17 2002-01-17 Cassista Gerard R. Method and apparatus for intentional blockage of connectivity
JP2003050474A (en) * 2001-08-07 2003-02-21 Fuji Photo Film Co Ltd Plate making method for planographic printing plate
KR100440451B1 (en) * 2002-05-31 2004-07-14 삼성전자주식회사 Circuit For Detecting A Volatage Glitch, An Integrated Circuit Device Having The Same, And An Apparatus And Method For Securing An Integrated Circuit Device From A Voltage Glitch Attack
US7205883B2 (en) * 2002-10-07 2007-04-17 Safenet, Inc. Tamper detection and secure power failure recovery circuit
US7237172B2 (en) * 2002-12-24 2007-06-26 Micron Technology, Inc. Error detection and correction in a CAM

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0481881A1 (en) * 1990-10-19 1992-04-22 Gemplus Card International Integrated circuit with improved security access
WO2000045244A1 (en) * 1999-02-01 2000-08-03 Koninklijke Philipps Electronics N.V. Integration of security modules on an integrated circuit
WO2001003084A1 (en) * 1999-06-30 2001-01-11 Bull Cp8 Method for making secure a sensitive information processing in a monolithic security module, and associated security module
EP1220101A1 (en) * 2000-12-28 2002-07-03 STMicroelectronics Method and device for protecting against unauthorised use of integrated circuits
US20030149914A1 (en) 2002-02-05 2003-08-07 Samsung Electronics Co., Ltd. Semiconductor integrated circuit with security function
WO2004063910A1 (en) * 2003-01-10 2004-07-29 Philips Intellectual Property & Standards Gmbh Circuit arrangement and method for protecting electronic components against illicit manipulation

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102008030032B4 (en) 2007-06-14 2022-03-17 Samsung Electronics Co., Ltd. Integrated semiconductor circuit, smart card and hacking detection method
EP2211288A1 (en) * 2009-01-21 2010-07-28 Giesecke & Devrient GmbH Method for executing an error routine with a processor when a data storage medium is accessed

Also Published As

Publication number Publication date
US20090049548A1 (en) 2009-02-19
JP2009512952A (en) 2009-03-26
EP1943604A1 (en) 2008-07-16
KR20080059321A (en) 2008-06-26
CN101292249A (en) 2008-10-22

Similar Documents

Publication Publication Date Title
US20090049548A1 (en) Semiconductor Device and Method For Preventing Attacks on the Semiconductor Device
JP5070297B2 (en) Protection of information contained in electronic circuits
KR101484331B1 (en) Verifying data integrity in a data storage device
US8316242B2 (en) Cryptoprocessor with improved data protection
KR101108516B1 (en) Device and method for non-volatile storage of a status value
EP1220101B1 (en) Method and device for protecting against unauthorised use of integrated circuits
US20060109117A1 (en) Apparatus and Method of Intelligent Multistage System Deactivation
US20130326632A1 (en) Security Within Integrated Circuits
JPH08249239A (en) Method and apparatus for enhancement of safety of integrated circuit
US20100299756A1 (en) Sensor with a circuit arrangement
US7787315B2 (en) Semiconductor device and method for detecting abnormal operation
US20060050876A1 (en) Integrated circuit with coded security signal, security process, corresponding security device and signal coded using a dynamic key
US20030133241A1 (en) Method and arrangement for protecting digital parts of circuits
KR20080110890A (en) Security storage of electronic keys within volatile memories
US7806319B2 (en) System and method for protection of data contained in an integrated circuit
US20050166002A1 (en) Memory intrusion protection circuit
EP4145704B1 (en) Secure starting of a processing unit
JP2003203012A (en) Microcomputer device
US8848459B2 (en) Semiconductor device
JP6358497B2 (en) Control device
WO2009040694A1 (en) Electric circuit for preventing integrated circuits from attacks

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200680039352.1

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2006809608

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 12090732

Country of ref document: US

ENP Entry into the national phase

Ref document number: 2008537253

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 4322/DELNP/2008

Country of ref document: IN

WWE Wipo information: entry into national phase

Ref document number: 1020087012207

Country of ref document: KR

WWP Wipo information: published in national office

Ref document number: 2006809608

Country of ref document: EP