1. Field of the Invention
The present invention relates to data storage devices, and in particular to secure operation of such data storage devices.
2. Description of Related Art
Modern attacks on data processing means processing data relevant in terms of security, and/or attacks on the algorithm and secret keys processed therein are effected via so-called leak information. Leak information includes, for example, current consumption of the data processing unit, electromagnetic radiation during operation of the data processing means, etc. Conclusions about information relevant in terms of security may be drawn from a statistical analysis of the physical signals picked up.
Here, the most common forms of attack are simple power analysis (SPA), differential power analysis (DPA) or high-order differential power analysis (HO-DPA).
Various methods have been employed to prevent these attacks, such as methods related to software engineering which comprise continuously altering the sequence of operations of the cryptographic algorithm or inserting redundant operations. Hereby, statistical evaluations, for example of the power profile or of the electromagnetic radiation, at least prevented or at least made much more difficult.
A disadvantage of this approach is the large-scale intervention in the respective software and the algorithms as well as the significant reduction in performance which results in most cases. A further known measure is to include additional current profile generators which overlay an additional stochastic current profile on the original current profile of the circuit, for example of the controller, etc. The benefit of this approach is doubtful, since in general it does not provide adequate protection against DPA or HO-DPA and additionally may lead to a significant increase in the current consumption of the data processing means.
A further known measure is to infiltrate random actions into the data processing unit. To this end, state machines are infiltrated with random command sequences and states so as to create a time-related desynchronization of the command flow of a cryptographic process. Thus it may be made more difficult to find trigger points in current profiles and to perform a current profile analysis by means of resynchronization in the course of time. The controller, which is referred to as “idle function generator”, serves to infiltrate random sequences, for example into the processor pipeline of a CPU. Such a control typically comprises considerable complexity, since it must be ensured that the integrity of the data being processed and the integrity of the command flow are maintained despite the security measures. As an example, register or memory contents must not be overwritten by mistake. Of course, the causality of instructions must not be violated either, etc.
Modern data processing means include a CPU, a memory, such as a non-volatile memory and a volatile memory as well as a cache memory, which significantly contributes to increasing the calculating speed of a data processing means by providing fast memory access. Such powerful and fast storage systems typically contain multi-stage cache memories or buffers which temporarily hold areas of the main memory. Examples are instruction cache memories, data cache memories or translation lookaside buffers (TLBs), also referred to as address cache memories. Such data storage devices exist, in various embodiments, on each processor. Cache memories structured in an associative manner, or memories in general, hold a plurality of lines, i.e. data storage units, in which a data block from the main memory may be deposited in each case. Such a memory is also referred to as an n-way associative cache memory, n designating the number of data storage units. One of these n data storage units is selected to deposit a data block which is to be re-stored in the memory. Here, the data block previously deposited is displaced. The data block displaced must then be reloaded from the main memory when it is needed again.
Usually a so-called least recently used (LRU) algorithm is used for selecting the line into which a new data unit is to be written, since the best cache performance may typically be achieved by using such a replacement strategy.
A different, less time-consuming and costly known replacement strategy is the so-called random replacement strategy, wherein the data storage unit to be overwritten is randomly chosen. With a high amount of cache associativity and large-scale memories, the random replacement strategy may achieve nearly the same performance as an LRU strategy, which is considerably more time-consuming and costly to implement.
The random number generator required for the random replacement strategy is a pseudo random number generator based on a circuit comprised of linear feedback shift registers (LFSR). Such circuits comprising linear feedback shift registers are placed into a defined initial state by means of a so-called seed, with a deterministic sequence of random numbers being generated, starting from this defined initial state, which has an approximately random distribution, however. However, this sequence is deterministic in that it is repeated in an exact manner whenever the predetermined seed has been fed into the LFSR. If a different seed is fed in, this results in a different but also fully repeatable sequence of randomly appearing random numbers.
In view of the above-described attacks on cryptographic data processing means, such pseudo random number generators and/or the random replacement strategy based on these pseudo random number generators have the significant disadvantage that the program flow will always remain deterministic. In particular, a program would exhibit exactly the same behavior after each restart of the CPU. This represents a point of attack for power analysis attacks.