There presently is a need to provide security for data and software. For example, in bank terminals, data are entered using a touchpad or derived by a card reader (e.g., a magnetic card reader). These data are used to make a secure transaction. Security is necessary for such a transaction and access to the data must be protected.
To ensure that the data are not tampered with, stolen, or otherwise accessed without authorization the data are commonly encrypted prior to transmission. However data or software could still be accessed prior to encryption, as by accessing the traces of an integrated circuit (IC) through which the unencryted data are first sent. The traces could be accessed by either direct contact to the trace, or electronic surveillance, such as decoding voltage on a lead by measuring electromagnetic changes (e.g., induced magnetic fields, capacitance, etc.).
In prior devices a three dimensional mesh has been used to enclose an IC and prevent tampering. For example U.S. Pat. No. 6,646,565 to Fu, et al. and entitled, “Point of Sale (POS) Terminal Security System,” discloses a device for security of electronic circuits in which an electrical connection is inserted between a first and a second circuit board. A tamper detection circuit is also used to detect circuit tampering. The entire device is wrapped in a mesh. Any tampering with the circuit boards or the mesh is sensed in a current flowing through a security layer in the circuit boards and mesh. This current disturbance signals a security system to scramble or erase sensitive data, such that the data will not be intercepted. Other similar devices include U.S. Pat. Nos. 4,593,384; 4,691,350; and 4,807,284.
U.S. Pat. No. 5,406,630, to Piosinka, et al., entitled, “Tamperproof Arrangement for an Integrated Circuit Device” discloses a tamper proof IC device. The package and lid include heavy metals to prevent both x-ray radiation and infrared detection of the functioning of the chip. This effectively provides an electrical shield of the workings of the IC
U.S. Pat. No. 6,396,400, to Epstein III, et al., entitled, “Security System and Enclosure to Protect Data Contained Therein,” discloses a security system for protecting a data storage device. The data storage device is enclosed in a first housing, which is mounted within a second housing by a number of support structures. A vacuum is created in an interstitial space between the first housing and the second housing. Breach of the second housing causes a pressure change that may be detected by a sensor.
In some security chips, a surface-level conducting trace layer is added which consists of one or more signal nets routed in such a way as to obscure the underlying circuitry. This top layer: 1. Visually hides the underlying circuit. An optical probe would not be able to image the circuit and from this image develop a means for accessing the circuit. 2. Prevents physical contact with the circuit; a physical probe would be prevented from contacting a conductive element in the underlying circuit and intercepting the signal that is present on that conductor. 3. Provides an electromagnetic shield. The conducting trace layer shields the underlying circuits from interference caused by electromagnetic signals. 4. Provides an electromagnetic masking signal. If a sensitive probe attempted to monitor an electromagnetic signal (including some indirect induced electromagnetic signal from the chip), the presence of an overlying source of electromagnetic signals would frustrate an attempt to intercept any underlying signal.
The shield may comprise an electrical shield component and a conductive component. The conductive component can be actively driven electrically in such a way that any disturbance to the component (e.g. drilling through the component, attempted modification to the conductive component, etc.) can be detected by a security circuit. The security circuit can then trigger a specific action, such as sounding an alarm, erasing data or software held by the circuit, etc.
An inherent feature of an active security trace is that when the voltage of the security trace layer changes it will induce a related change in any adjacent conductors through capacitance. The changing potential of the security trace will cause a current to flow in any adjacent trace via capacitive coupling. The current induced in an adjacent circuit is given by the equation I=C dv/dt, where “I” is a current induced, “C” is the value of capacitance between adjacent traces, and dv/dt is the rate of change of the driving voltage.
With reference to FIG. 1, a pattern generator 10 generates a signal pattern sent to a driver 12. The driver 12 drives the generated signal pattern through a security trace 14. The security trace 14 is part of a security device on an integrated circuit (not shown). The security trace 14 may be embedded in the packaging of an integrated circuit or otherwise disposed in relation to a lower trace 16. The security trace 14 is connected to a compare circuit 22 by a trace conductor 20 or security trace 14 may be coupled directly to a compare circuit 22. The compare circuit 22 compares the signal generated by the pattern generator 10 as transmitted through a connection line 26 to the pattern received from security trace 14 via the trace conductor 20. FIG. 2A illustrates an example of a voltage change through time in the security trace 14. The lower trace 16 is underlying the security trace 14. As a result of capacitive coupling, discussed above, there is an unintended electrical coupling of the voltage change in the security trace 14 to the lower trace 16. The effect of the induced current on the voltage present at the lower trace 16 is shown in FIG. 2B. Ideally, the lower trace 16 would be unaffected by any voltage change in the security trace 14, however, due to the unintended coupling through the unintended coupling capacitor 18, there is a dip in the signal as charge carriers migrate to the unintended coupling capacitor 18 and the effect persists until the unintended coupling capacitor 18 is fully charged, at which time there is a recovery to the intended signal strength. Depending upon the function of the lower trace 16, this unintended signal coupling may result in corrupted data, instruction errors, etc. A skilled artisan will recognize that unintended coupling capacitor 18 is representative of parasitic capacitance and is not an actual component in the circuit.
A device that compensates for the unintended voltage coupling, thereby preventing any distortion of the signals in the underlying circuit would be useful.