Integrated circuit smart cards have been used frequently in credit card, banking card and identification card applications and other card-based applications requiring secure data transactions. Smart cards typically include an embedded integrated circuit that includes both microprocessor components and nonvolatile memory, which may store secure information (e.g., secret key codes, cryptograms, passwords, etc.) and other information that may be used by the microprocessor. The use of secret codes enables the smart cards to carry out secure cryptographic computations or communications when they are used in conjunction with smart card readers and other compatible devices.
Many techniques have been developed to unlawfully acquire the secure information stored within smart cards. Some of these techniques include cryptanalytic techniques, which can generally be classified into two categories. These categories include passive attack techniques and active attack techniques. In a passive attack technique, operations are typically performed to measure external electrical characteristics of a smart card when it is undergoing normal operations. For example, external current and voltage signals generated or received by the smart card may be measured to extract internal secure information, without damaging or destroying the card or its internal components. In contrast, in an active attack technique, secure information may be extracted by probing the card in a manner that damages or destroys one or more internal components and renders the card unusable for its intended use.
Certain passive attacks may analyze a power consumption curve of a smart card when the card is performing cryptographic operations. These types of passive attacks include both simple power analysis (SPA) attacks and differential power analysis (DPA) attacks. In an SPA attack, an attacker evaluates a single power consumption curve and determines from that curve the identity of the instructions and possibly the Hamming weight of data words read from or written to the card. However, in a DPA attack, the attacker may evaluate multiple power consumption curves. These passive attacks are more fully described in an article by A. Shamir, entitled “Protecting Smart Cards from Passive Power Analysis with Detached Power Supplies,” Crytographic Hardware and Embedded Systems (CHES), LNCS 1965 (200), pp. 71-77.
FIGS. 1-2 illustrate operations to perform an SPA attack on a smart card containing an integrated circuit (IC) chip 1. This chip 1 is more fully described at pages 420-424 of a textbook by W. Rankl and W. Effing entitled Smart Card Handbook, John Wiley & Sons, Ltd. (ISBN 0 471 98875 8) (2000). As illustrated, the IC chip 1, which includes a microprocessor and memory elements 2, has six terminals. These terminals include a power supply terminal (Vcc), a ground reference terminal (GND), a reset terminal (RST) for receiving a reset signal, a clock terminal (CLK) for receiving a clock signal, an I/O terminal that is configured to output and receive commands and/or data (DATA), and a reserved use (RFU) terminal. The power supply terminal Vcc receives an external voltage (shown as Vx). An ammeter (A) is also provided for measuring the magnitude and direction of a current signal Ix that is supplied to the IC chip 1. As will be understood by those skilled in the art, when the external voltage Vx is supplied to the IC chip 1 and the microprocessor and memory elements 2 undergo operations, the current measured by the ammeter (A) may reflect the nature of the operations being performed. Thus, as illustrated by FIG. 2, the current signal Ix may constitute a waveform that identifies whether the IC card 1 is undergoing a non-operation (NOP), a multiplying operation (MUL) or a jumping operation (JMP). Moreover, by capturing and evaluating the current waveform as a function of time, cryptanalysis may perform an SPA attack and thereby extract a secret code retained by the memory element. The IC chip 1 of FIG. 1 is also susceptible to DPA attacks, which may evaluate the magnitude and direction of differential input currents.
U.S. Pat. No. 6,507,913 to Shamir discloses an apparatus for protecting smart cards against SPA and DPA attacks when they are inserted into card readers. As illustrated by FIG. 1 of the '913 patent, the apparatus includes two capacitors 3 and 4 that are embedded within a smart card substrate (e.g., plastic card). The capacitors 3 and 4 are switched in an alternating back-and-forth sequence so that at any given time one of them is being charged by an external power supply and the other one is being discharged by a smart card chip 1. Thus, during the operation of the smart card 10, the external power supply remains detached from the smart card chip 1. Nonetheless, because the voltages on the capacitors 3 and 4 will be reduced by an amount proportional to the amount of current consumed by the chip 1 during each switching interval, it may be possible to indirectly detect the current consumption profile of the chip 1 by evaluating the external pulsed current waveforms provided to the capacitors 3 and 4 after they have been partially discharged in each cycle. Accordingly, notwithstanding the additional protection provided by the apparatus of the '913 patent, SPA and DPA attacks may still be possible.