The invention relates generally to security in programmed devices, and, more particularly, to an apparatus for providing a secure environment for processing confidential data and/or confidential programmed steps such as software and the like.
The financial value of data and/or programmed instructions (e.g., software) is often dependent upon its general availability to the interested public. For example, if information in the form of data or programmed instructions is made available free of charge on the Internet, the commercial value of that information will quickly fall toward zero as few people will pay to receive something they can readily obtain for free. Thus, the desirability of maintaining the secrecy of data and/or programmed instructions with respect to all but paying purchasers of the secret information has long been known.
There are many contexts in which the concept of deriving value from information by limiting access thereto has been exploited. For example, conditional access broadcasting networks such as cable television networks and, more recently, direct satellite broadcasting networks are based on the premise of limiting access to broadcasted information to paying subscribers. Even more recently, the idea of limiting access to broadcasted data has been expanded to the computer networking context by Hughes Network Systems"" DirecPC(trademark) product. The DirecPC(trademark) product broadcasts requested information to a requesting computing device (typically, a personal computer) via a satellite as a means to expedite information delivery from the Internet.
Most such broadcasting systems employ one or more cryptographic techniques to control access to the broadcasted information. For example, most such systems employ one or more keys to encrypt broadcasted data in accordance with a mathematical algorithm that makes it very difficult to decrypt the data in a reasonable amount of time absent knowledge of the key used to encrypt the data. An explanation of many such cryptographic techniques including an explanation of the Data Encryption Standard (DES) algorithm that is frequently employed to encrypt broadcasted information is contained in Schneier, Applied Cryptography, (Second Ed. 1996), which is hereby incorporated in its entirety by reference.
The need to protect the secrecy of information is not limited to the broadcasting context. There are many applications wherein it is important from, for example, a commercial standpoint to maintain the secrecy of information as it is locally processed by a personal computer. By way of example, not limitation, in some applications it is desirable to permit processing of secret data while maintaining the secrecy of the data to the outside world. By way of another example, in some instances it is desirable to permit secret execution of programmed instructions (e.g., software) within a processor without permitting access to the decrypted instructions themselves outside of the processor.
Various devices have been developed for maintaining the secrecy of information. However, since the secret information protected by these devices often have significant commercial value, a sub-culture of individuals commonly referred to as xe2x80x9chackersxe2x80x9d has developed. These individuals spend considerable amounts of time attempting to frustrate or xe2x80x9chackxe2x80x9d the security measures of these devices in an effort to usurp the commercial value of the secret information. The hackers have had varying levels of success in their efforts. Accordingly, there is a need for an improved, more flexible, apparatus for providing a secure environment for processing information which achieves a higher level of security against hackers than known devices. In addition, there is a need for such an apparatus that overcomes memory limitations inherent in secure devices and whose software can be upgraded in the field.
It is a well known assumption of accepted cryptographic practice that secrecy must reside entirely in the keys of the system. In other words, for a device to be deemed secure, an attacker having access to all information about the system except for the keys must still be unable to decrypt encrypted information in a reasonable amount of time. Thus, the secrecy of the key material is of paramount importance in a device for providing a secure environment.
To this end, devices for encrypting, decrypting and/or maintaining the secrecy of information typically include a secure memory of some type for storing key material and other possibly sensitive data. In order to control access to that key material, it is often necessary to limit access to the secure memory to trusted software and/or hardware components. More specifically, it is often necessary to place restrictions on when, who, and under what circumstances the memory storing key material can be addressed.
One problem with limiting access to a memory is testability. Another problem is limiting access to field deployed units while still allowing initial programming in the factory. In order to verify that the memory is functioning properly before releasing a device into the field, it is often necessary to have full read/write access thereto. Moreover, such access must typically be provided after a device is completely, or nearly completely constructed. As a result, such devices often include a testing mode wherein, upon occurrence of a certain condition or event, the device assumes it is in test mode and permits full read/write access to the memory. If a hacker is able to fool a device containing key material into entering the test mode, the hacker may potentially obtain full access to the stored key material thereby completely compromising the security of the device.
In some prior art approaches, one or more mode bits stored in memory, or in an anti-fuse device, or the like, define whether the memory contains confidential data and/or whether the memory is in the testing mode. This mode bit(s) may be implemented as a simple checksum on the data in memory. In other words, the mode bit(s) may be set to equal some mathematical function(s) of some or all of the data stored in memory. Regardless of which traditional method for defining the mode bit(s) is employed, if a hacker changes the state of the mode bit(s), the hacker can potentially cause the memory to unlock into the testing mode thereby compromising the key material it contains. Thus, it is desirable to provide an improved method and apparatus for determining whether a memory contains confidential data which is not dependent upon mode bit(s) stored in that memory or upon a checksum value stored in memory.
In accordance with an aspect of the invention, an apparatus for providing a secure processing environment is provided. The apparatus includes a read/write memory for storing information; a first processor cooperating with the read/write memory for reading information therefrom and writing information thereto; and a cipherer in communication with the read/write memory. The cipherer is configured to selectively decrypt encrypted information into decrypted information and to deliver the decrypted information to the read/write memory for subsequent use by the first processor. The apparatus is further provided with an authenticator for authenticating the decrypted information prior to use by the first processor.
In some embodiments, the authenticator re-authenticates decrypted information received from the read/write memory, and the cipherer is configured to selectively encrypt the decrypted, re-authenticated information into re-encrypted information. In such embodiments, the cipherer may optionally return the re-encrypted information to the read/write memory for subsequent exportation to a storage device or may optionally directly export the re-encrypted information. Also in such embodiments, the cipherer preferably re-encrypts the decrypted, re-authenticated information such that it differs from its original encrypted form to mask modification information. In such embodiments, the cipherer employs key-cycling and/or cycling of the whitening key to mask the modification information.
In some embodiments, authentication data employed to re-authenticate the decrypted information prior to re-encryption is stored in the read/write memory for subsequent use in authenticating the decrypted information.
In some embodiments, the first processor has a kernel mode of operation and a user mode of operation, and the kernel mode and the user mode define separate security cells. In such embodiments, the first processor preferably executes non-secure software in the user mode of operation and secure software in the kernel mode of operation.
In some embodiments, the apparatus is provided with a second processor. The second processor is in communication with the cipherer and with the read/write memory to thereby selectively initiate decryption and re-encryption of information stored in the read/write memory. In some such embodiments, the cipherer comprises the authenticator.
In some embodiments, the apparatus is further provided with a non-volatile memory and a logic circuit for controlling access to the data contained in the non-volatile memory, wherein the logic circuit selectively accesses the non-volatile memory to determine whether the data contained in the non-volatile memory comprises confidential data by analyzing a property inherent in the accessed data. In some such embodiments, the logic circuit determines whether the data contained in the non-volatile memory comprises confidential data by identifying data blocks in the accessed data having a predetermined characteristic, by counting the identified data blocks, and by comparing the count to a threshold value. In some such embodiments, each of the data blocks may comprise a bit and the predetermined characteristic may comprise a predefined logic state. Alternatively, each of the data blocks may comprise a plurality of bits, and the predetermined characteristic may comprise a binary value falling within a range of binary values.
In some embodiments which employ a non-volatile memory as described above, a key isolation circuit is provided directly connecting the logic circuit to the cipherer. In some such embodiments, the non-volatile memory stores a key, and the key isolation circuit delivers the key to the cipherer. In any of the foregoing embodiments, the logic circuit, the key isolation circuit and the cipherer preferably define a closed system.
In some embodiments, the non-volatile memory, the first processor, the read/write memory, and the cipherer are embedded on an integrated circuit. In such embodiments, the integrated circuit includes pins for connecting the apparatus to external devices, and the apparatus further comprises a silencing circuit for selectively disabling the pins to avoid disclosure of sensitive information outside the secure environment, and/or the apparatus further comprises a watchdog circuit adapted to monitor the integrated circuit for tampering.
In some embodiments, the apparatus includes a memory management unit cooperating with the first processor for maintaining a plurality of security cells.
In some embodiments, the cipherer comprises a crypto-module.
In any of the foregoing embodiments, the authentication may be performed by authenticating the encrypted information prior to decryption.
In any of the foregoing embodiments, the encrypted information may comprise encrypted processor instructions and/or encrypted data.
In any of the foregoing embodiments, the encrypted information may be segmented into sections. In such embodiments, the segments are preferably independently encrypted and authenticated.
In accordance with another aspect of the invention, an integrated circuit for providing a secure processing environment is provided for use with an external memory. The apparatus includes a volatile memory having a storage capacity which is less than the storage capacity of the external memory. The apparatus further comprises import/export means for selectively importing and exporting encrypted information between the external memory and the volatile memory; and cipher means for decrypting encrypted information received from the volatile memory into decrypted information within the secure environment and for encrypting the decrypted information back into encrypted information within the secure environment. In addition, the apparatus includes a processor for processing the decrypted information within the secure environment. The processor cooperates with the import/export means to selectively import and export decrypted information from the external memory to the volatile memory and vice versa to avoid exceeding the second storage capacity.
In some embodiments, the cipher means encrypts information such that encrypted information corresponding to decrypted information has a first form when imported from the external memory and a second form different from the first form when exported to the external memory even when the corresponding decrypted information is unchanged. In some such embodiments, the cipher means decrypts encrypted information using a first whitening key and encrypts decrypted information using a second whitening key different from the first whitening key. In some such embodiments, the apparatus is provide with a cryptographically strong pseudo random number generator that generates the second whitening key.
In some embodiments, the apparatus includes means for authenticating the decrypted information within the secure environment. In some such embodiments, the authenticating means authenticates the decrypted information after importation from the external memory and re-authenticates the decrypted information prior to encryption and exportation to the external memory.
In accordance with an aspect of the invention, a method for tamper checking an integrated circuit for performing secure operations is provided. The method comprises the steps of: detecting an event; executing a built in self test on at least one element of the integrated circuit to determine if a tamper has occurred; and if the built in self test indicates a tamper has occurred, placing a restriction on at least one operation of the integrated circuit.
In some embodiments, the method also includes the steps of: holding a processor associated with the integrated circuit in a reset state such that a predefined memory storing key material cannot be accessed; if the at least one element passes the built in self test, releasing the processor from the reset state; and if the at least one element fails the built in self test, holding the processor in the reset state. In some such embodiments, the at least one element comprises the predetermined memory, and/or the at least one element comprises a logic circuit.
In any of the foregoing embodiments, the detected event may comprise a reset event.
Other features and advantages are inherent in the apparatus claimed and disclosed or will become apparent to those skilled in the art from the following detailed description and its accompanying drawings.