WO2009034490A1 - Integrated circuit with data line monitoring and alarm signal - Google Patents

Integrated circuit with data line monitoring and alarm signal Download PDF

Info

Publication number
WO2009034490A1
WO2009034490A1 PCT/IB2008/053331 IB2008053331W WO2009034490A1 WO 2009034490 A1 WO2009034490 A1 WO 2009034490A1 IB 2008053331 W IB2008053331 W IB 2008053331W WO 2009034490 A1 WO2009034490 A1 WO 2009034490A1
Authority
WO
WIPO (PCT)
Prior art keywords
read
integrated circuit
data
data lines
gate
Prior art date
Application number
PCT/IB2008/053331
Other languages
French (fr)
Inventor
Sönke OSTERTUN
Original Assignee
Nxp B.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nxp B.V. filed Critical Nxp B.V.
Publication of WO2009034490A1 publication Critical patent/WO2009034490A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/75Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C7/00Arrangements for writing information into, or reading information out from, a digital store
    • G11C7/10Input/output [I/O] data interface arrangements, e.g. I/O data control circuits, I/O data buffers
    • G11C7/1048Data bus control circuits, e.g. precharging, presetting, equalising
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C7/00Arrangements for writing information into, or reading information out from, a digital store
    • G11C7/24Memory cell safety or protection circuits, e.g. arrangements for preventing inadvertent reading or writing; Status cells; Test cells

Definitions

  • This invention relates to an integrated circuit with pre-chargeable data lines whereas a change of a potential of the data lines is detectable with read amplifiers and to a respective method.
  • So called smartcard chips are carrying important information and/or data with which an authorisation or identification of a user may be performed. With such cards an access to a place or service can be enabled as well as the administration of a bank account. The stored information must not be accessible from the outside to prevent an abuse. Especially the key data for encoding information to be transmitted have to be protected as well as a program stack storing return addresses for subroutines.
  • One way to attack a read access onto such integrated circuits is the irradiation with highly focussed laser light, e.g. with so called laser cutters.
  • the resulting charge carriers namely electrons and/or ions, can easily affect the read access.
  • Further examples are capacitive disturbances or the applying of external voltages and currents with contact pins.
  • error identifying or error correcting codes For the protection of memory contents and the read access against undesired manipulations there are often used error identifying or error correcting codes, which on the other hand need memory space for redundant data bits. To assure an adequate protection the relation between redundant bits and usable bits is mostly too high and requires a too large area. Such error identifying methods are effective only with huge data blocks which contrariwise require more read accesses onto the memories resulting in a loss of performance which is often not acceptable, e.g. in case of program codes.
  • a possibility to protect a read access is to read out a memory cell twice or reading without a cell selection which has to give a certain result. From the WO 2004/049349 A2 it is known to read during an inactive time period. Disadvantages of this methods lie in the facts that access times are doubled and accordingly the performance is reduced as well as a significant decoupling in time and where applicable in space of additional read accesses.
  • the core of the invention lies in the fact that after a read access has been completed there is usually a passive time period whereas the completion of the read access can be derived from a positive edge of a completion signal.
  • the following time period can be used to detect an attack onto the integrated circuit via a comparison of the binary information data outputs of read amplifiers with stored or buffered values. If there is a change in the values an attack is assumed and an alarm signal or the like can be produced.
  • this invention it is possible to use the inactive time in an integrated circuit to detect an attack. Thereby attacks on a read access itself can be identified if the attack influences the circuit still after completion of the attacked read process as well as useless attacks after completion of a correct read process.
  • FIG 1 is depicted an exemplary electric integrated circuit 100 with a 6-transistor-SRAM-cell.
  • the SRAM-cell consists of two inverters 11 which are connected as a ring and represent the memory cell itself. Further there are provided two access transistors 12 controlled by a line access control line 23 for connecting the inverters 11 with data lines 21, 22.
  • a memory matrix is composed of multiple repetitions of such or the like cells.
  • a read access mostly is divided into a pre-conditioning of the memory matrix and a measurement process. Therefore for example the data lines 21, 22 are charged with pre-charge transistors 13 up to a certain potential e. g. a positive supply potential 24.
  • the pre-charge transistors 13 are controlled by a pre-charge control signal 25.
  • the pre-charging is stopped by closing the pre-charge transistors 13 and opening the access transistors 12 with the line access control line 23.
  • a change of voltage in the two data lines 21, 22 is monitored. Dependant which line looses first its potential a bit is interpreted as 0 (Zero) or 1 (One). By external manipulations like irradiation with light or a capacitive coupling this read process can be easily disturbed.
  • the a. m. measurement process is performed by a read amplifier 14. As soon as one of the two data lines 21, 22 has changed its potential sufficiently the respective data output 26, 27 indicates a logic 0 or 1. By linking them with an OR- gate 15 a read completion signal 28 can be derived from these two signals showing the successful completion of the read process.
  • the two outputs of the a. m. mask- AND-gates 18 can be linked via an OR-gate 19 to give out an alarm signal 31.
  • a modification of the read amplifiers 14 is possible by bringing them into another mode with a feed back of the read completion signal 28. In this mode they monitor the logical state of the data lines 21, 22. If the logical state changes on the input during this monitoring mode also a respective alarm can be displayed.

Abstract

An integrated circuit (100) has pre-chargeable data lines (21, 22), whereas a change of a potential of the data lines (21, 22) is detectable with read amplifiers (14). To enhance its security against attacks the data outputs (26, 27) of the read amplifiers (14) are comparable with buffered data until a next read or write process and if a change occurs an alarm is displayable. Further a respective method is disclosed.

Description

DESCRIPTION
INTEGRATED CIRCUIT WITH DATA LINE MONITORING AND ALARM SIGNAL
FIELD OF THE INVENTION This invention relates to an integrated circuit with pre-chargeable data lines whereas a change of a potential of the data lines is detectable with read amplifiers and to a respective method.
BACKGROUND OF THE INVENTION So called smartcard chips are carrying important information and/or data with which an authorisation or identification of a user may be performed. With such cards an access to a place or service can be enabled as well as the administration of a bank account. The stored information must not be accessible from the outside to prevent an abuse. Especially the key data for encoding information to be transmitted have to be protected as well as a program stack storing return addresses for subroutines.
One way to attack a read access onto such integrated circuits is the irradiation with highly focussed laser light, e.g. with so called laser cutters. The resulting charge carriers, namely electrons and/or ions, can easily affect the read access. Further examples are capacitive disturbances or the applying of external voltages and currents with contact pins.
Since it is not possible to avoid such attacks in general it is at least necessary to detect such an attack for enabling the integrated circuit to perform an adequate response, for example a restart or the complete deactivation of the circuit.
For the protection of memory contents and the read access against undesired manipulations there are often used error identifying or error correcting codes, which on the other hand need memory space for redundant data bits. To assure an adequate protection the relation between redundant bits and usable bits is mostly too high and requires a too large area. Such error identifying methods are effective only with huge data blocks which contrariwise require more read accesses onto the memories resulting in a loss of performance which is often not acceptable, e.g. in case of program codes.
A possibility to protect a read access is to read out a memory cell twice or reading without a cell selection which has to give a certain result. From the WO 2004/049349 A2 it is known to read during an inactive time period. Disadvantages of this methods lie in the facts that access times are doubled and accordingly the performance is reduced as well as a significant decoupling in time and where applicable in space of additional read accesses.
Further the US 2004/0264273 Al discloses a method for ensuring a liability of logic operations with a double latch. Thereby it can be assured that a bit in the state 1 (One) does not change its state during a certain time. But this requires an exact timing of the two latches to avoid a false alarm and additional area on the integrated circuit as well.
Finally it is known that a read access can be protected during the pre- charge of data lines with a reference voltage to detect an attack on this data lines.
SUMMARY OF THE INVENTION
It is an object of the invention to create an integrated circuit which has an enhanced protection against attacks whereas its performance is almost unaltered. Further a respective method for controlling such an integrated circuit shall be given.
These problems are solved by an integrated circuit as described in claim 1 and a method as described in claim 5.
The core of the invention lies in the fact that after a read access has been completed there is usually a passive time period whereas the completion of the read access can be derived from a positive edge of a completion signal. The following time period can be used to detect an attack onto the integrated circuit via a comparison of the binary information data outputs of read amplifiers with stored or buffered values. If there is a change in the values an attack is assumed and an alarm signal or the like can be produced. By this invention it is possible to use the inactive time in an integrated circuit to detect an attack. Thereby attacks on a read access itself can be identified if the attack influences the circuit still after completion of the attacked read process as well as useless attacks after completion of a correct read process. In principle is the method of comparing the read data with the outputs of the read amplifiers not limited to SRAMS. The method also works with all other kinds of memory types like EEPROM, Flash or ROM. The determination of completion of a read process is only very simple in a SRAM because of the double data line. In every memory an access time is defined. A flexible disposition along the completion signal as in a SRAM might not be possible always. But also an external disposition allows if applicable a comparison of the read data with the still active outputs of the read amplifiers.
If there are double data lines like in an SRAM additional attacks can be identified. Namely those of the kind that both data lines loose likewise potential what is excluded during regular use. This is typical with many attacks since the local resolution of the attack is not precise enough. The likewise change of potential on the data lines can be detected easily by linking the two data outputs with an AND-gate or a NOR-gate depending on the forbidden state of both signals at high or low potential. The output of this AND- or NOR-gate will display an unallowed state reliably.
It is to be seen that such methods can be applied to all kinds of integrated circuits. Especially the use with smartcard integrated circuits is preferable since they have to be checked and certified extensively by independent laboratories before they are allowed to be used in critical applications for example as bank account card. Since there are always new kinds of attacks the security standards are raised accordingly. In particular stored secret information and program codes can be protected much better against attacks since a number of attacks are directed to the reading of data stored in a memory like a SRAM. The integrated circuit may then react adequate with a restart or with a switch-off.
BRIEF DESCRIPTION OF THE DRAWING
An embodiment of an integrated circuit is hereinafter described with reference to the according drawing. The only figure shows a schematic view of an integrated circuit according to the invention.
DETAILED DESCRIPTION OF THE DRAWING
In figure 1 is depicted an exemplary electric integrated circuit 100 with a 6-transistor-SRAM-cell. The SRAM-cell consists of two inverters 11 which are connected as a ring and represent the memory cell itself. Further there are provided two access transistors 12 controlled by a line access control line 23 for connecting the inverters 11 with data lines 21, 22. A memory matrix is composed of multiple repetitions of such or the like cells. A read access mostly is divided into a pre-conditioning of the memory matrix and a measurement process. Therefore for example the data lines 21, 22 are charged with pre-charge transistors 13 up to a certain potential e. g. a positive supply potential 24. Hereby the pre-charge transistors 13 are controlled by a pre-charge control signal 25. Subsequently the pre-charging is stopped by closing the pre-charge transistors 13 and opening the access transistors 12 with the line access control line 23. During this access period a change of voltage in the two data lines 21, 22 is monitored. Dependant which line looses first its potential a bit is interpreted as 0 (Zero) or 1 (One). By external manipulations like irradiation with light or a capacitive coupling this read process can be easily disturbed. The a. m. measurement process is performed by a read amplifier 14. As soon as one of the two data lines 21, 22 has changed its potential sufficiently the respective data output 26, 27 indicates a logic 0 or 1. By linking them with an OR- gate 15 a read completion signal 28 can be derived from these two signals showing the successful completion of the read process. With the positive edge of this signal it is possible to buffer data from the outputs 26, 27 with flip-flops 16. As soon as one of the two read amplifiers 14 detects a change of potential on a matrix data line 21, 22 the correspondent output of an exclusive OR-gate 29 will signalise an alarm. Usually with the positive edge of the read termination signal 28 a read process is completed. According to the invention the subsequent time period until the next read or write process can be used to detect possible attacks. If there is no attack, the binary information on the data lines 21, 22 can not be altered any more. By keeping the read amplifiers 14 operating, it is possible to compare their data outputs 26, 27 with the buffered data 29, 30. Preferably this is done with exclusive Or-gates 17. Since such a comparison must not be done until a read process has been finished the result of such a comparison has to be masked out with AND-gates 18 during the read process itself.
The two outputs of the a. m. mask- AND-gates 18 can be linked via an OR-gate 19 to give out an alarm signal 31. In an alternative embodiment a modification of the read amplifiers 14 is possible by bringing them into another mode with a feed back of the read completion signal 28. In this mode they monitor the logical state of the data lines 21, 22. If the logical state changes on the input during this monitoring mode also a respective alarm can be displayed.
LIST OF REFERENCE SIGNS
11 inverter
12 access transistor 13 pre-charge transistor
14 read amplifier
15 OR-gate
16 flip-flop
17 exclusive OR-gate 18 AND-gate
19 OR-gate
21 positive data line
22 negative data line
23 line access control line 24 pre-charge supply line
25 pre-charge control signal
26 output for logical 0
27 output for logical 1
28 read completion signal 29 stored data output 0
30 stored data output 1
31 alarm signal output 100 integrated circuit

Claims

1. Integrated circuit (100) with data lines (21, 22), whereas a change of a potential of the data lines (21, 22) is detectable with read amplifiers (14), characterised in that, until a next read or write access data outputs (26, 27) of the read amplifiers (14) are comparable with buffered data and if a change occurs an alarm is displayable.
2. Integrated circuit (100) according to claim 1, characterised in that, a comparison is performable with an exclusive OR-gate (17).
3. Integrated circuit (100) according to claim 1 or 2, characterised in that, a comparison can be masked with AND-gates (18).
4. Integrated circuit (100) according to claim 3, characterised in that, two outputs of the And-gates (18) are linkable with an OR-gate (19) for displaying an alarm signal.
5. Method for controlling an integrated circuit (100) with data lines (21, 22), whereas a change of a potential of the data lines (21, 22) is detected with read amplifiers (14), characterised in that, until a next read or write access data outputs (26, 27) of the read amplifiers (14) are compared with buffered data and if a change occurs an alarm is displayed
6. Method according to claim 5, characterised in that, a comparison is performed with an exclusive OR-gate (17).
7. Method according to claim 5 or 6, characterised in that, a comparison is masked with AND-gates (18).
8. Method according to any of the claim 7, characterised in that, two outputs of the And-gates (18) are linked with an OR-gate (19) for displaying an alarm signal.
PCT/IB2008/053331 2007-09-10 2008-08-20 Integrated circuit with data line monitoring and alarm signal WO2009034490A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP07116002.2 2007-09-10
EP07116002 2007-09-10

Publications (1)

Publication Number Publication Date
WO2009034490A1 true WO2009034490A1 (en) 2009-03-19

Family

ID=40260499

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2008/053331 WO2009034490A1 (en) 2007-09-10 2008-08-20 Integrated circuit with data line monitoring and alarm signal

Country Status (1)

Country Link
WO (1) WO2009034490A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030204696A1 (en) * 2002-04-29 2003-10-30 Samsung Electronics Co., Inc. Tamper-resistant method and data processing system using the same
US20030226082A1 (en) * 2002-05-31 2003-12-04 Samsung Electronics Co., Ltd. Voltage-glitch detection device and method for securing integrated circuit device from voltage glitch attack
US6993130B1 (en) * 2000-02-04 2006-01-31 Xtec, Incorporated Methods and apparatus for mediametric data cryptoprocessing
US20070058452A1 (en) * 2005-09-08 2007-03-15 Samsung Electronics Co., Ltd. Voltage glitch detection circuits and methods thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6993130B1 (en) * 2000-02-04 2006-01-31 Xtec, Incorporated Methods and apparatus for mediametric data cryptoprocessing
US20030204696A1 (en) * 2002-04-29 2003-10-30 Samsung Electronics Co., Inc. Tamper-resistant method and data processing system using the same
US20030226082A1 (en) * 2002-05-31 2003-12-04 Samsung Electronics Co., Ltd. Voltage-glitch detection device and method for securing integrated circuit device from voltage glitch attack
US20070058452A1 (en) * 2005-09-08 2007-03-15 Samsung Electronics Co., Ltd. Voltage glitch detection circuits and methods thereof

Similar Documents

Publication Publication Date Title
US6856531B2 (en) Hacker-proof one time programmable memory
EP0743602B1 (en) Circuit device for function usage control in an integrated circuit
US6952778B1 (en) Protecting access to microcontroller memory blocks
JPS62164187A (en) Test program start up system
US7916517B2 (en) Circuit arrangement and method for recognizing manipulation attempts
CN106056003A (en) Apparatus and method for generating identification key
CN103946854A (en) Retention based intrinsic fingerprint identification featuring a fuzzy algorithm and a dynamic key
KR101108516B1 (en) Device and method for non-volatile storage of a status value
US6499092B1 (en) Method and apparatus for performing access censorship in a data processing system
US10296738B2 (en) Secure integrated-circuit state management
EP3136286B1 (en) Data processing system with secure key generation
US7398554B1 (en) Secure lock mechanism based on a lock word
US10762948B2 (en) Floating body DRAM with reduced access energy
CN103679010B (en) Detection device
US20050044403A1 (en) Detection circuit for a smart card
CN114521261A (en) Undefined lifecycle state identifier for managing security of an integrated circuit device
CN106326781A (en) Method and device for protecting chip testing mode
US7787315B2 (en) Semiconductor device and method for detecting abnormal operation
WO2009034490A1 (en) Integrated circuit with data line monitoring and alarm signal
US6249456B1 (en) Secured EEPROM memory comprising means for the detection of erasure by ultraviolet radiation
US20030133241A1 (en) Method and arrangement for protecting digital parts of circuits
US20140082372A1 (en) Secure spin torque transfer magnetic random access memory (sttmram)
US20070274302A1 (en) Data Storage Device, Memory Managing Method, and Program
CN103778953A (en) SRAM memory cell
US7806319B2 (en) System and method for protection of data contained in an integrated circuit

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08807370

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08807370

Country of ref document: EP

Kind code of ref document: A1