1. Field
A component produced entirely or partly in the form of an integrated circuit and equipped with a cryptoprocessor, and a method for installing the component. The component according to the disclosed embodiments is equipped with means for preventing its encryption secrets from being revealed. The disclosed embodiments are directed most particularly to cryptoprocessor components, but it might equally relate to all types of integrated circuits in which efforts are made to prevent them from functioning incorrectly, whether such incorrect functioning is caused by a concerted attempt to corrupt their operation or by a random attack from an external source (electrical, electromagnetic, thermal, particulate or other).
Data stored in an electronic component has always been protected by encryption with the aid of a key. It is imperative that the key remain secret.
2. Brief Description of Related Developments
In an electronic component, a cryptoprocessor is a processor that is dedicated to cryptographic operations. Its memory part contains one or more keys, which must remain secret, and which it uses for encrypting and/or decrypting the information it receives. Its primary elements include a non-volatile memory, which stores the key permanently when it is deactivated, a volatile buffer memory (of SRAM or D flip flop type, for example) in which the key is loaded by the operating system (if one exists) when the component is energized, and a microcontroller or microprocessor type logic circuit that is capable of performing operations for encrypting and decrypting messages using the secret key.
In electronic components, information is stored and forwarded in the form of charges which are trapped or guided inside the semiconductor material, silicon, by the action of electrical fields. A MOS transistor, which is at the heart of most digital logic circuits, is in effect a switch that allows charges to pass or prevents them from passing between its source and its drain depending on the voltage applied to its gate.
A new threat has surfaced recently, which is designed to extract the information contained in a cryptoprocessor component by injecting errors into it and analyzing the behaviour this provokes. There are many different methods for injecting usable errors (raising the temperature of the component, increasing the supply voltage to the component, transitory pulses, particles, and others). The methods that are assessed as being the most dangerous today are those which enable the errors to be injected into components with controlled areas, for example in a part of the static random access memory, SRAM, where an encryption key is stored. This is what happens during attacks using lasers or ion microbeams.
An attack on a cryptoprocessor by injecting errors consists of injecting charges locally so as to modify or mask the information that is being stored or forwarded. Analysis of the response by the cryptoprocessor following the injection of errors provides pirates with clues that help them to reduce the number of combinations and identify the key more quickly. An analysis of this kind is made even easier by the fact that the attack is very precise, in terms of both space and time. Various techniques exist for injecting errors, and variously difficult to execute; fortunately the most effective are also the most difficult to implement. For the record, a review of possible attacks on integrated circuits is included in the document “Memories: a survey of their secure uses in smart cards” written by Michael Neve, Eric Peeters, David Samyde and Jean-Jacques Quisquater; http://www.dice.ucl.ac.be/crypto, and edited by Second International IEEE Security in Storage, Workshop—Proceedings of SISW 2003.
The simplest methods inject errors into the component randomly: this is what happens when the attack takes the form of raising the temperature, electromagnetic waves (radar, microwaves, radio), or particles (ions, neutrons or protons). In all three cases, the attack interferes with the whole component, and while it may be possible to select a zone, it is not possible to target a single bit or even several bits. Even so, with software processing and extremely advanced mathematics, it seems that it may be possible to exploit the results of such an attack. This type of attack is very easy to carry out because it does not require any specific access and can be conducted from a distance.
Then come the attacks via the circuit's input/outputs, which disrupt the nominal voltage using a voltage generator. These attacks can be carried out in phase (temporally) relative to the operating cycles of the circuit's clock. The result of the attack is still rather inconsistent, which means that a large number of combinations remain to be tried in order to extract the key, but this method is quite easy to carry out if one has access to the circuit.
Finally, methods by which the errors can be injected at chosen times and targeted extremely precisely (in theory, to the bit), which means for example that the attacker is then able to modify the bits containing the key one by one, then the next, and so on, or even to interrupt the decryption operation. This is what happens in attacks using a laser or ion microbeams. These methods are difficult to put into operation because they require access to the component, that is to say the component's housing must be opened and the integrated circuit and chip must be exposed. In order to defend themselves from these attacks, manufacturers implement countermeasures to prevent decapsulation, the effectiveness of which is variable.
The aspects of the disclosed embodiments protect components against attacks of this nature.
Triggering of a parasitic thyristor, called latchup, and also triggering of a bipolar parasitic transistor, called snapback, are mechanisms that are inherently included in any component of an integrated circuit of the backup implantation, CMOS type for the first mechanism, or the non-backup implantation type for the other. They are effected by activation of the parasitic thyristor, or horizontal bipolar transistor in the second case, after charges are introduced into the component locally. The supply current for the component then rises sharply, and because of the current that passes through it and/or the fall in supply voltage this causes, the component ceases functioning. If there is no limitation on the current, the thermal effect may destroy the circuit, and it is preferable to provide current limitation on the circuit feed. In any event, the circuit does not become functional again until the supply has been cut off and it has been energized again. In the rest of this document, we will use the term parasitic triggering to refer to the activation of either of these phenomena: triggering of a parasitic thyristor: latchup et triggering of a parasitic bipolar transistor: snapback. Both of these phenomena are described in the document published in 1999 by Fairchild Semiconductor Corporation entitled Understanding Latch-up in Advanced CMOS Logic.
Depending on the position of the contacts in the component, the charge level that triggers the parasitic structures (called the latchup threshold or snapback threshold) may vary widely. Component manufacturers therefore generally try to raise this level to the maximum, since the mechanism can be triggered by a natural radiant environment (particles), by electrostatic discharges, or even by noise at the inputs or outputs. Nevertheless, it seems easier for a chip manufacturer to design a technology that is sensitive to latchup/snapback than a technology that is insensitive.
As a general rule, it has been noted that the first batches manufactured at each generation jump are sensitive to latchup. Then, the manufacturers correct the manufacturing procedures of the architecture of the component circuitry so that the components have higher triggering thresholds. As a consequence, many components that are sensitive to latchup have found their way onto the commercial market, which forces those who use these components in a severely radiant environment (such as the space environment, for example) to carry out systematic sorting of commercial components.
Studies on the susceptibility of integrated circuits to latchup have been published
in an article entitled “Extreme latchup susceptibility in modern commercial off the shelf (COTS) monolithic 1 M and 4 M CMOS static random access memory (SRAM) devices” written by Thomas E. Page and Joseph M. Benedetto, and published in Radiation Effects Data Workshop, 2005. IEEE, 11-15 Jul. 2005, pages 1 to 7
by IEEE Transactions on Nuclear Science, Vol 50. No. 3, June 2003.
in an article entitled “Destructive single event effect in semiconductor devices and ICs” by Fred W. Sexton,
and in “Proposal for solid state particle detection based on latchup effect” written by A. Gabrielli and published in Electronic Letters, 26 May 2005 Vol. 41, No. 11.
Injecting errors is a local injection of charges into a circuit that disrupts the proper function thereof. The minimum charge quantities needed to cause this disruption may be defined as the circuit disruption threshold. The threshold for latchup or snapback is defined as the minimum charge quantity that must be injected locally to trigger the latchup or snapback mechanism.
We have chosen to exploit this effect in the disclosed embodiments to resolve the problem of protecting the components of integrated circuits with cryptoprocessors in order to protect the information contained in a component against injection of errors. In fact, if all of a component with cryptoprocessor (or at least the parts containing the key in transient manner) is constructed using circuits that have been deliberately chosen to be sensitive to latchup or snapback, that is to say with a trigger threshold lower than the threshold for disrupting circuits by injecting errors, the component is protected intrinsically. In the event of error injection (that is to say charge injection) by any means whatsoever, the parasitic structure is activated. This activation causes the supply current for the circuit to rise extremely sharply.
This very large current can damage the integrated circuit component irreparably. To avoid this final drawback, a simple latchup detection circuit is provided (by measuring the increase in the supply current to the component). For example, this detection circuit is of the same type as the one described in the last article cited above. This detection circuit then enables activation of a current limiting circuit so that the component is not destroyed. The current limiting circuit maintains the supply voltage for the internal parts of the circuit at a voltage below that which is needed to allow it to function. Therefore, the component can no longer function until it is re-initialized, which makes it impossible to extract any data from it. In fact, such a solution comes down to using the cryptoprocessor itself as the immediate detector of an attack.