The present invention relates generally to integrated circuit devices and packaging methods, and, more particularly, to a method and structure for implementing secure multichip modules (MCM) for encryption applications.
FIPS (Federal Information Processing Standard) 140-1 is a U.S. government standard for implementations of cryptographic modules; i.e., hardware or software that encrypts and decrypts data or performs other cryptographic operations (such as creating or verifying digital signatures). The FIPS 140-1 standard was created by the National Institute of Standards and Technology (NIST), and specifies requirements for the proper design and implementation of products that perform cryptography.
In particular, FIPS 140-1 specifies security requirements that are to be satisfied by a cryptographic module used within a security system protecting unclassified information within computer and telecommunication systems (including voice systems). The standard provides four increasing, qualitative levels of security (Level 1, Level 2, Level 3, and Level 4) which are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed. Each security level offers an increase in security over the preceding level. These four increasing levels of security allow for cost-effective solutions that are appropriate for different degrees of data sensitivity and different application environments.
For example, Security Level 1 provides the lowest level of security. It specifies basic security requirements for a cryptographic module, but does not mandate any physical security mechanisms in the module beyond the requirement for production-grade equipment. Examples of Level 1 systems include integrated circuit (IC) cards and add-on security products. Level 1 allows software cryptographic functions to be performed in a general purpose personal computer (PC).
Security Level 2 improves the physical security of a Security Level 1 cryptographic module by adding a requirement for tamper evident coatings or seals, or for pick-resistant locks. Tamper evident coatings or seals, which are available today, would be placed on a cryptographic module so that the coating or seal would have to be broken in order to attain physical access to the plaintext cryptographic keys and other critical security parameters within the module. Pick-resistant locks would be placed on covers or doors to protect against unauthorized physical access. In addition, Level 2 provides for role-based authentication in which a module must authenticate that an operator is authorized to assume a specific role and perform a corresponding set of services. It further allows software cryptography in multi-user timeshared systems when used in conjunction with trusted operating system.
Security Level 3 requires even further enhanced physical security measures, many of which are available in existing commercial security products. In contrast to Security Level 2 (which employs locks to protect against tampering with a cryptographic module, or employs coatings or seals to detect when tampering has occurred), Level 3 attempts to prevent an intruder from gaining access to critical security parameters held within the module. For example, a multi-chip embedded module must be contained in a strong enclosure, wherein if a cover is removed or a door is opened, the critical security parameters are zeroized (i.e., electronically erased by altering the contents thereof). Alternatively, a module may be enclosed in a hard, opaque potting material to deter access to the contents.
Among other aspects, Level 3 also provides for identity-based authentication, which is stronger than the role based-authentication used in Level 2. A module must authenticate the identity of an operator and verify that the identified operator is authorized to assume a specific role and perform a corresponding set of services.
Finally, Security Level 4 provides the highest level of security. Although most existing products do not meet this level of security, some products are commercially available which meet many of the Level 4 requirements. Level 4 physical security provides an envelope of protection around the cryptographic module. Whereas the tamper detection circuits of lower level modules may be bypassed, the intent of Level 4 protection is to detect a penetration of the device from any direction. For example, if an attempt is made to cut through the enclosure of the cryptographic module, then such an attempt should be detected and all critical security parameters should thereafter be zeroized. Level 4 devices are particularly useful for operation in a physically unprotected environment where an intruder could possibly tamper with the device.
Level 4 also protects a module against a compromise of its security due to environmental conditions or fluctuations outside of the module's normal operating ranges for voltage and temperature. Intentional excursions beyond the normal operating ranges could be used to thwart a module's defense during an attack. Thus, a module is required to either include special environmental protection features designed to detect fluctuations and zeroize critical security parameters, or to undergo rigorous environmental failure testing that provides a reasonable assurance that the module will not be affected by fluctuations outside of the normal operating range in a manner that can compromise the security of the module.
Unfortunately, existing multichip modules (MCM's) conforming to Level 4 security requirements implement difficult and cumbersome designs that involve, for example, potting a fragile mesh card structure. Moreover, such designs provide a limited capacity for desired electromagnetic (EM) shielding. Still a further difficulty stems from changing existing crypto modules from an organic based material to a ceramic based material, in that ceramic materials present certain interconnect problems such as nearest neighbor shorting in the ball grid array due to the collapse of solder balls. In addition, a fully collapsing structure will have a low interconnect height that in turn can cause a larger percentage variation between interconnect heights across the device. A collapsed height of the final interconnection may also cause shorts or opens.
Accordingly, it would be desirable to implement secure multichip modules (MCM) for encryption applications in a manner that overcomes such disadvantages.