Chip cards for storing safety-relevant or monetary data have become very widespread. They can be used as access keys. Further areas of use are applications such as telephone cards, electronic travel cards or debit cards. The sensitive data can be changed, at least in the case of debit cards, for example when the credit on a telephone card decreases during telephoning. The storage and processing of the sensitive data is made possible by a chip module inserted into the chip card and having an integrated circuit arrangement, which is normally formed as a chip.
The production of such a chip is a highly technological process, in which it is not possible to rule out some chips not functioning after production. Therefore, the chips are usually tested after production, it being necessary to draw a balance between the most comprehensive test and the expenditure of time associated therewith.
One possible configuration of such a functional test is what is known as a “built-in self test” (BIST).
During a subsequent use of the chip in the chip card, it is not possible for attacks to be ruled out. The attacks on the sensitive data of the chip are carried out, for example, by means of “probing” or “forcing”. In the case of probing, the data transmitted within the chip module is tapped off by means of fine needles and evaluated. In the case of forcing, an access to the data is made in a similar way. In this case, by supplying external data, an attempt is made to manipulate the data processing of the chip, in order for example to gain information about its functioning, its security mechanisms or its sensitive data.
Such physical attacks are carried out, for example, with what is known as an FIB device (short for “focused ion beam”). By means of these devices, the integrated circuits on the chip module can be deliberately manipulated. By means of the vapor deposition of gases over a closely limited range, covering or protective layers of the integrated circuit can specifically be etched away. Furthermore, these devices also permit isolators to be inserted into conductor tracks of the circuit to be examined or the application of additional lines. As a result, rewiring of the circuit to be examined is carried out on a microscopic scale.
Measures against such attacks comprise, for example, what are known as dummy lines, which are provided in addition to the actual circuit arrangement. These are lines without any function within the actual circuit, which are arranged in the initially free regions of the circuit arrangement. Dummy lines are intended to confuse the attacker about the actual structure of the circuit and to deceive him about the circuit functionality. By means of suitable tools for circuit analysis, dummy lines can be detected with little effort and, if they are passive lines, that is to say non-signal-carrying lines, they can easily be circumvented or severed.
In a further development, the dummy lines have a constant voltage applied to them, so that at least the severing of these dummy lines is detected. This protective mechanism can also be circumvented with little effort if the lines are rewired without influencing the applied voltage, in order to gain access to the lines of the circuit planes arranged under them.
A further safeguard against physical attacks is what is known as an “active shield” or active protective shield. This is a large number of lines, for example running in parallel, which are arranged in an uppermost circuit plane similar to a fine covering grid. These lines have random sequences of numbers applied to them, which are detected by a suitable circuit unit with regard to possible changes in the random sequences. A change permits a conclusion to be drawn about an attack. The disadvantage of such an active protective shield is the associated considerable expenditure on circuitry, in particular for the random number generator and the detecting circuit unit.