The use of small portable devices such as a smart card is becoming more prevalent. A smart card is a credit-card sized plastic card with an embedded computer chip. The smart card can be either a memory card or a microprocessor card. Memory cards simply store data and can be viewed as a small floppy disk with optional security. A microprocessor card, on the other hand, can use programs on the card to add, delete and manipulate information in card memory. For the remainder of this disclosure, “smart card” shall refer to a microprocessor card.
Smart cards typically include three types of memory: persistent nonmutable memory, persistent mutable memory and nonpersistent mutable memory. ROM (read-only memory) is the most widely used persistent nonmutable memory. EEPROM (electrical erasable programmable read-only memory) is the most widely used persistent mutable memory and RAM (random access memory) is the most widely used nonpersistent mutable memory.
FIG. 1 is a block diagram that illustrates a typical mechanism for memory management of a portable device. Device 100 includes a CPU (central processing unit) 105, RAM 110, ROM 115 and EEPROM 120. ROM 115 is typically used for storing fixed program units and the executive or kernel of the card 100. No power is needed to hold data in this kind of memory. However, it cannot be written to after the card 100 is manufactured. ROM 115 includes operating system routines 125 as well as permanent data 135 and user applications 130. The process of writing a binary image (representing programs and data) into ROM is called masking. It occurs during the chip fabrication process.
EEPROM 120, like ROM 115, can preserve data content when power to the memory is turned off. However, EEPROM 120 can be modified during normal use of the card 100. EEPROM 120 is therefore used for data storage. EEPROM 120 is the smart card's equivalent of a hard disk on a PC (personal computer). User applications can also be written into EEPROM 120 after the card 100 is made. EEPROM can be written to a limited number of times and has a limited data retention period. Additionally, reading from EEPROM 120 is as fast as reading from RAM 110, but writing to EEPROM 120 is typically several orders of magnitude slower than writing to RAM 110.
EEPROM 120 on a smart card 100 is typically separated into multiple partitions. As shown in FIG. 1, EEPROM 120 is separated into partitions for ROM patches (140), user application code (145) and user application data (150). The ROM patches partition 140 is used to store changes to the ROM 115 made after the masking. Read and write access to the various EEPROM partitions (140, 145, 150) may be controlled via a memory manager (not shown in FIG. 1) typically configured with one or more hardware fuses. The memory manager comprises hardware logic with configuration parameters that determine a smart card operational mode, EEPROM 120 partitioning information and EEPROM 120 read and write access control information for program code executing in a particular operational mode.
RAM 110 is typically used as temporary working space for storing and modifying data. RAM 110 is nonpersistent memory; that is, the information content is not preserved when power is removed from the array of memory cells. RAM 110 can be accessed an unlimited number of times and none of the restrictions found with EEPROM 120 apply.
ROM 115 is the least expensive of the three kinds of memory. EEPROM 120 is more expensive than ROM 115 because an EEPROM 120 cell takes up four times as much space as a ROM 115 cell. RAM 110 is very scarce in a smart card chip 100. A RAM 110 cell of the kind typically used in smart cards tends to be approximately four times larger than an EEPROM 120 cell.
Smart cards 100 typically have a test mode that is used for verifying the chips during the fabrication process, and for executing internal test programs while the semiconductors are still in the wafer or after they have been packaged in modules by the manufacturer. The test mode allows types of access to the memory that would violate security requirements and therefore are strictly forbidden when the chips are later in actual use. For technical reasons, however, it is an unavoidable requirement to be able to read data from the EEPROM 120 in this mode.
To obtain a high level of security, the change from the test mode to the user mode should be irreversible. This can, for instance, be realized by using a polysilicon fuse on the chip. In this case, a voltage is applied to a test point on the chip that is provided for this purpose, and this voltage causes the fuse to melt through. The chip is thus switched into the user mode using hardware. Normally, this cannot be reversed. However, a fuse is by its nature a relatively large structure on the surface of the chip. A fuse may be mechanically bridged after a passivation layer covering the chip has been partially removed where it covers the fuse. This puts the smart card 100 back into test mode, allowing the memory to be read out using the extended access options available in test mode. If a sufficient amount of the memory content is known, it is relatively easy to clone the smart card that has been read out. Other hardware fuse technology has been used to reduce the risk of physical defeat.
A microprobe attack is a method used to extract information from a smart card 100. One such attack taps the busses between the CPU 105 and the memories (ROM 115, EEPROM 120 and RAM 110) of the smart card microcontroller. Before this can occur, the chip must be exposed and the passivation layer on the top surface of the chip must be removed. The passivation layer protects the chip against oxidation on the one hand, but it also protects the chip against attack, since sensors monitor its integrity. However, attacks are known that may defeat such countermeasures.
After the passivation layer has been removed from the entire surface of the chip, or only from selected locations, it would be at least theoretically possible to make contact with the address, data and control busses for the memory using microprobe needles. If electrical connections to all the lines of these three busses are made, it is relatively easy to address the individual memory cells and to read any desired regions of the ROM 115 and EEPROM 120. The chip does not have to be powered for this, and any desired type of connection jig can be used. The potential consequences of a successful attack using this method are serious, since it could make secret data in the non-volatile memory readable. This method could be extended by making connections to the busses and then operating the chip in a normal manner. In this way, it would be possible to eavesdrop on the complete data traffic between the CPU 105 and the memories (110, 115, 120), and this could be recorded using a sufficiently fast logic analyzer. Other microprobing attacks are possible.
Unfortunately, the ability to circumvent hardware fuse-based memory protection decreases card security. Accordingly, what is needed is a solution that provides a relatively secure partitioning of a smart card memory. A further need exists for such a solution that is relatively flexible.