1. Field of the Invention
The invention relates to integrated circuits for which security of operation has to be provided against attempts at fraudulent use.
This is the case notably with integrated circuits for chip cards designed, for example, to carry out monetary transactions or to enable access by specific individuals to protected premises etc.
These integrated circuits incorporate confidential information elements, stored in memories, for example non-volatile, electrically erasable, and programmable memories. It is necessary that these information elements are not sent out of the circuit through fraudulent operations.
2. Description of the Prior Art
This is why there is generally provision, in the integrated circuit, for a certain number of sensors known as security sensors, the function of which is to observe a certain number of operational or environmental conditions and prompt a break in the functioning of the circuit when abnormal conditions are detected.
For example, there is a frequency sensor that observes the working frequency of the circuit and is capable of giving a signal if this frequency is below a determined threshold (an excessively low frequency would make it easier for a spy to get a peep into the behavior of the circuit or of the card).
In the same way, there may be a supply voltage sensor that provides a signal if this voltage is too low or too high. And again, a light sensor that detects any instance where the package of the integrated circuit is opened in order to obtain access, by observation, to confidential information. Again, for example, there may be a passivation sensor (to sense the presence of a passivation layer above the circuit), a temperature sensor etc.
Thus, several physical safety sensors are provided, and each of them may deliver a logic signal representing the appearance of a fault.
In microprocessor-based integrated circuits, it is normal to design the system so that the security check to be conducted by the microprocessor of the circuit itself.
It has already been proposed that the logic signals coming from the physical safety sensors should be memorized in a register that is directly controlled by the microprocessor. This register is initially set at zero. The appearance of a non-null bit at a position of the register means that an abnormal condition of operation has been observed. The flipping-over of the register is irreversible in principle, i.e. a bit stored in the register does not disappear even if the abnormal conditions disappear. In practice, the register cannot be reset at zero unless the integrated circuit is reinitialized (i.e. disconnected and turned on again)
In principle, the circuits work as follows: when the voltage is turned on, the microprocessor carries out an initialization program. Then it carries out a security test in which the state of the security register is verified. If all the bits are at zero, the operation may continue. If not, the operation is definitively interrupted and the circuit must be turned off.
It has been observed however that the security is insufficient since subsequent changes can no longer be detected.
A possible approach would be to see to it that the working programs of the card all contain instructions for the periodic checking of the state of the register. However, the problem is that this would greatly interfere with the normal progress of the program, and that it is difficult to provide for a test of the register as frequently as would be needed.
It is also possible to have the register connected to a switching pin of the central unit of the microprocessor, but these pins are not numerous and have to be reserved for other uses.