1. Technical Field
The present disclosure relates to the protection of an integrated circuit chip against attacks aiming at obtaining protected confidential data.
2. Description of Related Art
In certain secure devices such as payment cards, integrated circuits chips are likely to process and/or store critical data, for example, encryption keys. Such chips may be fraudulently manipulated to obtain protected confidential data.
Among known attacks, so-called “fault injection attacks” comprise intentionally disturbing the chip operation and analyzing the influence of the disturbances on its behavior. The attacker especially examines the influence of the disturbances on data such as output signals, the consumption, or response times. He is likely to infer from it, by statistic studies or the like, critical data such as algorithms implemented by the chip, and possibly encryption keys.
To intentionally cause anomalies in the circuits of a chip, an attack mode comprises bombarding chip areas with a laser beam while the chip is operating. Faults can thus be injected into certain memory cells and/or affect the behavior of certain components. Due to the presence of interconnection metal tracks on the front surface side of the substrate, laser attacks are most often carried out on the back side of the chip. The attacker generally provides a preliminary step of thinning of the chip substrate, to decrease the beam attenuation by the substrate, and thus improve the efficiency of the attack.
To avoid frauds, chips comprising an attack detection device coupled with a chip protection circuit have been provided. When an attack is detected, the protection circuit implements measures of protection, alienation, or destruction of the critical data. For example, it may be provided, when an attack is detected, to interrupt the power supply of the chip or to cause its resetting, to minimize the time during which the attacker can study the chip response to a disturbance.
Attack detection solutions may be logic. They for example comprise regularly introducing into the calculations integrity tests enabling to make sure that data have not been modified. Such solutions have the disadvantage of introducing additional calculation steps, thus increasing the chip response times. Further, integrity tests cannot detect all the disturbances caused by an attacker. The latter thus has room for maneuver to acquire critical data.
Other so-called physical attack detection solutions comprise sensors sensitive to temperature variations, to ultraviolet or X rays, enabling to detect suspicious activities. Like logic solutions, such solutions are not perfectly reliable. Indeed, before the attack detection, the attacker has room for maneuver to obtain critical data. Further, the implementation of such solutions is complex and increases the silicon surface area to form the chip.
Another example of attack comprises locally etching the chip substrate from its back side to reach the active portion of the substrate, that is, the upper layer of the substrate in which the chip transistors are formed. The local etching of the substrate may comprise etching, from the back side, increasingly deep and narrow successive openings, the last openings being formed by means of a focused ion beam (FIB). As an example, the attacker may “open” a substantially circular area having a diameter ranging from a few tens of micrometers to a few hundreds of micrometers, having its bottom at the level of the active portion of the chip. At the end of this step, there only remains a thin substrate thickness, for example, approximately ranging from 0.5 to 1.5 μm, between the bottom of the opening and the stack of insulating layers and of interconnection metal tracks coating the front surface of the substrate. The attacker then forms holes of small diameter, for example, on the order of a few hundreds of nanometers, connecting the bottom of the opening to metal interconnection tracks of the circuit arranged on the front surface side of the substrate, and/or active areas of the circuit such as MOS transistor source or drain regions. The holes are filled with a conductive material such as tungsten to form vias. Contact pads are formed on the bottom of the opening, each pad covering one of the vias. Such an attack thus provides access to signals present in tracks of the first metallization level(s) of the integrated circuit, and/or in active areas of the integrated circuit.