Various techniques are used to provide security for data and software in an integrated-circuit. Data typically are entered by a customer into a bank terminal using a touchpad or a magnetic card reader. Entered data are then processed to make a secure transaction. Security is a necessity for such transactions and external access to the data must be denied. Therefore, to ensure that the data are not tampered with, stolen, or otherwise accessed without authorization, the data are commonly encrypted prior to transmission. However, data or software could still be accessed prior to encryption, such as, for example, by accessing the traces of an integrated circuit (IC) through which the unencrypted data are first sent. Integrated-circuit traces could be accessed by direct contact with the integrated-circuit traces, or by electronic surveillance techniques, such as decoding voltage on a lead by measuring electromagnetic changes, such as, induced magnetic fields, capacitance, etc.
In some secure integrated-circuit chips, a top-level conducting trace layer is added which consists of one or more signal nets routed in such a way as to obscure the underlying circuitry. This top-level conducting trace layer visually hides the underlying circuit. An optical probe would not be able to provide an image the underlying circuit and from this image develop a means for accessing the circuit. The top-level conducting trace layer prevents physical contact with the circuit such that a physical probe is prevented from contacting a conductive element in the underlying circuit to intercept a signal on that conductor. The top-level conducting trace layer also provides an electromagnetic shield for underlying circuits from interference caused by external electromagnetic signals. The top-level conducting trace layer may also provide an electromagnetic masking signal such that, if a sensitive probe attempts to monitor an electromagnetic signal, the masking signal would frustrate any attempt to intercept any underlying signals in the underlying integrated circuit.
A shield may include an electrical shield component and a conductive component. The conductive component can be actively electrically driven such that any disturbance to the conductive component, such as, for example, drilling through the conductive component or attempted modification to the conductive component, etc., is detected by a security circuit, which can then trigger a specific action, such as sounding an alarm, erasing data or software held by the circuit, etc.
An inherent feature of an active security trace system is that, when the voltage of the security trace layer changes, that change induces a related change in any adjacent conductors through the capacitance between the security trace layer and the adjacent conductors. The changing potential of the security trace causes a current to flow in any adjacent trace via capacitive coupling. A current induced in an adjacent circuit is given by the equation I=C dv/dt, where I is a current induced, C is the capacitance between adjacent traces, and dv/dt is the time rate of change of the drive voltage.
One type of security technique uses a pattern generator to generate a signal pattern that is driven through a security trace on an integrated circuit. The security trace may be embedded in the packaging of an integrated circuit or otherwise disposed in relation to a lower trace within the integrated circuit. The security trace is connected to a compare circuit that compares the signal generated by the pattern generator to a pattern received from the security trace. As a result of capacitive coupling, there is an unintended electrical coupling of the voltage change in the security trace to the lower trace. Ideally, the lower trace would be unaffected by any voltage change in the security trace. However, due to the unintended coupling through the unintended coupling capacitor between the traces, there is a dip in the signal as charge carriers migrate to the unintended coupling capacitor. This effect persists until the unintended coupling capacitor is fully charged, at which time there is a recovery to the intended signal strength. Depending upon the particular function of the lower trace, this unintended signal coupling may result in corrupted data, instruction errors, etc. The unintended coupling capacitor represents parasitic capacitance.
A system that compensates for the unintended voltage coupling, such as a differential system, would prevent any distortion of the signals in the underlying circuit.