An aspect of the present invention relates to a smart card chip arrangement and a method for protecting a smart-card chip arrangement from unauthorized tampering.
Smart cards are used for a multitude of applications and, in order to protect the user or provide identification for the relevant application, they generally perform some form of encryption or decryption. To this end, a secret key is stored on the chip to render the cryptographic function unique. Attacks from unauthorised parties aim to retrieve this secret key and hence allow the attacker to duplicate or otherwise misuse the smart card. There are two classes of attack: non-invasive and invasive. The present invention is able to find a solution to the latter.
Invasive attacks on smart cards are performed by partially or completely removing the packaging of the microchip of the smart card. The depackaging step may be achieved using acids, solvents, laser cutters, or chemical mechanical polishing. A comprehensive description of the various techniques employed is given in the paper “Design Principles for Tamper-Resistant Smartcard Processors” by Oliver Kömmerling and Markus Kuhn, Proc. of the USENIX Workshop on Smartcard Technology, Chicago, 10-11 May, 1999, pp. 9-20. Once the microchip has been depackaged, attacks are conducted by probing metal tracks. A focus ion beam (FIB) technique could be employed to drill fine holes in the insulating layer in order to expose fine metal tracks without disturbing other components.
A standard countermeasure against invasive attacks is to cover the chip surface with a metal protection grid. More specifically, the topmost metal layer of the microchip is patterned to cover the chip with a meandering grid. This grid prevents access to the circuitry below and also shields the chip circuitry from electromagnetic emissions, which may leak sensitive information (see, e.g., the Dallas DS5002FPM secure microprocessor). Damage to the protection grid is detected, which triggers an alarm and thus causes the chip to refuse further operation.
A second method for protecting the encryption keys is to randomly distribute small particles directly into the packaging of the microchip. The cryptographic key is then derived from measuring the distribution of these particles. To achieve this, the chip includes sensors that are sensitive to at least one physical property of the particles (e.g. magnetism). If the packaging is damaged or removed, the encryption key is lost. This structure is the subject of U.S. Pat. No. 7,005,733 by Kömmerling et al.
A drawback with the use of metal protection grids is that the depackaging procedure leaves the protection grid intact. Generally speaking, it is necessary to actively break the metal protection grid in order to trigger the alarm. However, since the feature size of the metal grid is much bigger than what the FIB can achieve, it is highly likely that the grid will be unable to provide sufficient protection (as demonstrated by Kömmerling and Kuhn in the above-mentioned paper). A small hole can be excavated between grid lines to expose signal wires for probing by the attacker, without triggering the alarm.
As regards the particle-distribution technique, this solution is elegant in principle, but requires a multitude of sensors to be positioned on the chip surface. This is expected to consume significant area on the chip and complicate routing, not least because metal wires running above a sensor will shield it from the relevant property of the packaging, thereby defeating the purpose.