The present invention relates to an apparatus for protecting an integrated circuit formed in a substrate and a method for protecting the integrated circuit against reverse engineering having a shield, which at least partially covers the integrated circuit and which includes a signal transmitter, a signal receiver, at least two conductor tracks running between the signal transmitter and the signal receiver, and a drive and evaluation device connected to the signal transmitter and the signal receiver and also having a covering applied on the substrate.
It is possible to subject an integrated circuit to an analysis, so-called xe2x80x9creverse engineering.xe2x80x9d This analysis may serve merely to analyze the method of operation or else to influence the method of operation for the purpose of manipulating a data content or the functional sequence. For the purpose of analysis, in a first step, the material that covers the surface of the chip is resolved. This material may be either a plastic molding composition that forms the housing of the semiconductor component, or a so-called xe2x80x9cglobe top,xe2x80x9d which merely serves to protect the chip surface and the electrical connections against mechanical damage. Such a xe2x80x9cglobe topxe2x80x9d is used in smart card modules, for example. Moreover, a thin plastic layer (xe2x80x9cimidexe2x80x9d, xe2x80x9cphotoimidexe2x80x9d) is usually applied on the passivation layer of the chip. The plastic layer is also removed during a reverse engineering method. After the removal of the material that surrounds or covers the semiconductor chip, the passivation layer of the semiconductor chip is, generally, accessible. The passivation layer can be selectively removed by etching methods, laser, or Focused Ion Beam (FIB) methods. Access to the signal lines is obtained as a result of this.
An analysis of the integrated circuit is undesirable, in principle. Particularly in the case of security-relevant circuits, for example, a microcontroller on a smart card that includes the function of an electrical purse or the like, reverse engineering should be prevented if possible. In practice, various methods already exist by which such an analysis can at least be made more difficult. To protect an integrated circuit, it is known to cover it with a so-called shield. In such a case, a shield includes at least two conductor tracks running above the integrated circuit. In the case of the passive shields, the supply potential of the semiconductor chip is present on at least one of the conductor tracks, and the ground potential is present on the other conductor track. An interruption or a short circuit of these conductor tracks is detected by an evaluation circuit that, then, cuts the integrated circuit into a secure state. This may be, by way of example, the triggering of a reset or the erasure of the memory contents. In the case of the so-called active shields, the signal present on the respective conductor tracks can be varied by a drive and evaluation apparatus. This increases the security against an analysis with respect to a passive shield because the shield cannot be rendered nonfunctional by a bypass or a rewiring. In such a case, the course of the conductor tracks can be realized in meandering form or in grid form in a plurality of planes.
International Application WO 97/36326, corresponding to U.S. Pat. No. 5,861,652 to Cole et al., discloses a method and an apparatus by which it is possible to detect the removal of a plastic housing including molding composition. In such a case, the changing capacitance between two conductor tracks upon the removal of the plastic molding composition is detected. For such a purpose, a plurality of sensors is provided in the plastic molding composition housing. However, the sensors can easily be ascertained before the plastic molding composition is actually removed, and can, therefore, be selectively omitted during the removal of the housing so that a change in the capacitance cannot be detected.
Furthermore, U.S. Pat. No. 4,868,489 to Kowalski discloses a method that detects the removal of the passivation layer over the chip surface. A plurality of detectors that are made comparatively large is provided for such a purpose. The size of the detectors means that they can easily be discerned and, thus, circumvented. Moreover, the configuration illustrated in Kowalski has the disadvantage that a shield that covers the integrated circuit has to have a cutout in each case at the locations at which the detectors are situated. This results in weak points at which an analysis is made possible.
It is accordingly an object of the invention to provide an apparatus for protecting an integrated circuit formed in a substrate and a method for protecting the integrated circuit against reverse engineering that overcome the hereinafore-mentioned disadvantages of the heretofore-known devices and methods of this general type and that enable an improved protection against an analysis.
With the foregoing and other objects in view, there is provided, in accordance with the invention, an apparatus for protecting an integrated circuit formed in a substrate, including a shield at least partially covering the integrated circuit, the shield having a signal transmitter, a signal receiver, at least two conductor tracks running between the signal transmitter and the signal receiver, a drive and evaluation device connected to the signal transmitter and to the signal receiver, a covering applied on the substrate, and a switching apparatus having a first switching state enabling a capacitive measurement and a second switching state enabling detection of damage to the shield.
The invention proposes an apparatus for protecting an integrated circuit formed in a substrate, having an active shield, in the case of which the shield has a switching apparatus. As a result, a capacitive measurement method can be carried out in a first switching state and damage to the shield can be detected in a second switching state.
Thus, according to the invention, the active shield can be changed over between two functions. If the switching apparatus is in the second switching state, then it is possible to identify short circuits between conductor tracks or interrupted conductor tracks. It is, thus, possible to identify a manipulation at the active shield, this functionality corresponding to the customary method of operation of an active shield.
If the switching apparatus is in the first switching state, then a capacitive test method is carried out between two signal lines. By way of example, one of the lines has applied to it a signal that can be detected on the second line by an evaluation circuit given a correspondingly high capacitance between the two lines. In such a case, the signal fed into the one conductor track may be constant or have a periodic or a random character.
The apparatus according to the invention has the particular advantage that the two measurement methods described above reciprocally protect one another. A capacitive measurement method can be circumvented, for example, by applying short-circuit links between two conductor tracks by FIB methods. However, such an attack would be detected by the xe2x80x9cnormalxe2x80x9d operating mode if the switching apparatus is in the second switching state. On the other hand, the capacitive measurement method protects the conventional active shield method because an attack would necessitate a removal of the covering composition, which is detected by the capacitive measurement method.
The combination of two detection methods, which merely dictates the provision of a switching apparatus in an active shield, makes it possible to significantly increase the protection against an analysis of an integrated circuit. Because, in contrast to the prior art, the two measurement methods are not spatially separate, even locally limited attacks no longer achieve their aim.
In accordance with another feature of the invention, the switching apparatus is only provided in a portion of the conductor tracks. The switching apparatus, preferably, has a plurality of switches that are in each case provided in a conductor track. Preferably, in each case a conductor track with a switch and a conductor track without a switch are disposed adjacent such that a capacitive coupling is possible. In such a case, the capacitive coupling must be such that a signal that is fed into a conductor track without a switch is received by the signal receiver approximately identically on the capacitively coupled conductor track. In this case, in one variant, the two conductor tracks may run directly adjacent to one another. In accordance with another variant, at least one further conductor track may be located between the two conductor tracks. The at least one further conductor track is advantageously floating, i.e., it is not utilized for the measurement method. This refinement makes it possible to achieve a greater capacitive coupling between the two conductor tracks. Conductor tracks that are used for the measurement method can also run, at least in sections, between the two conductor tracks.
In accordance with a further feature of the invention, the switches of the switching apparatus are connected to the drive and evaluation device and can be controlled by the latter. Equally, it is expedient that the signal receiver of the shield is connected to the drive and evaluation device. The switches of the switching apparatus and the signal receiver, thus, receives from the drive and evaluation apparatus a corresponding item of information as to which measurement method is to be carried out. The signal receiver, which may be part of the drive and evaluation device, is then able to decide whether an expected signal is received or an external manipulation is carried out.
In accordance with an added feature of the invention, the switching apparatus is part of the signal transmitter. In such a case, the signal transmitter would be connected to the drive and evaluation apparatus.
With the objects of the invention in view, there is also provided an apparatus for protecting an integrated circuit formed in a substrate, including a shield adapted to at least partially cover the integrated circuit, the shield having a signal transmitter, a signal receiver, at least two conductor tracks running between the signal transmitter and the signal receiver, a drive and evaluation device connected to the signal transmitter and to the signal receiver, a covering adapted to be applied on the substrate, and a switching apparatus having a first switching state enabling capacitive coupling between the at least two conductor tracks and a second switching state disabling capacitive coupling between the at least two conductor tracks and, thereby, enabling detection of damage to the shield.
With the objects of the invention in view, there is also provided an integrated circuit protecting apparatus for protecting an integrated circuit formed in a substrate, including a shield adapted to at least partially cover the integrated circuit, the shield having a signal transmitter, a signal receiver, at least two conductor tracks connecting the signal transmitter and the signal receiver, a drive and evaluation device connected to the signal transmitter and to the signal receiver, a covering adapted to be applied on the substrate, and a switching apparatus programmed to perform a capacitive measurement method in a first switching state and programmed to detect damage to the shield in a second switching state.
With the objects of the invention in view, in an integrated circuit formed in a substrate, there is also provided an apparatus for protecting the integrated circuit including a shield at least partially covering the integrated circuit, the shield having a signal transmitter, a signal receiver, at least two conductor tracks running between the signal transmitter and the signal receiver and connecting the signal transmitter to the signal receiver, a drive and evaluation device connected to the signal transmitter and to the signal receiver, a covering applied on the substrate, and a switching apparatus having a first switching state enabling capacitive coupling between the at least two conductor tracks and a second switching state disabling capacitive coupling between the at least two conductor tracks and, thereby, enabling detection of damage to the shield.
With the objects of the invention in view, there is also provided a method for protecting an integrated circuit formed in a substrate against xe2x80x9creverse engineeringxe2x80x9d including the steps of:
a) selection of the switching state of the switching apparatus by the drive and evaluation device;
b) application of a respective signal to the conductor tracks by the transmitting device;
c) evaluation of the signal received by the signal receiver by the drive and evaluation device;
d) initiation of a function change of the integrated circuit if the evaluation of the signal by the drive and evaluation device produces an unexpected result; and
e) in the case of an expected signal, repetition of steps a) to d).
In accordance with an additional mode of the invention, preferably, the switching state of the switching apparatus is selected optionally or alternately by the drive and evaluation apparatus. The shield, thus, changes between the capacitive measurement method and the normal operating mode of an active shield in accordance with the control by the drive and evaluation apparatus.
In accordance with yet another mode of the invention, a particularly good protection is achieved when the switching state of the switching apparatus changes periodically or at random time intervals.
In accordance with yet a further mode of the invention, a further increase in the security is made possible by virtue of the fact that at least the signals present on a conductor track with a switch and on an adjacent conductor track without a switch are different if the switching apparatus is in the second switching state, that is to say, in the normal operating mode.
In accordance with yet an added mode of the invention, there are provided the steps of placing a switch on a first of the at least two conductor tracks, the one conductor track being adjacent to a second of the at least two conductor tracks without a switch, applying a first signal to the first conductor track with the transmitting device, and applying a second signal to the second conductor track with the transmitting device, the first and second signal being different when the switching apparatus is in the second switching state.
With the objects of the invention in view, there is also provided a method for protecting an integrated circuit formed in a substrate against reverse engineering, including the steps of at least partially covering the integrated circuit with a shield having a signal transmitter, a signal receiver, at least two conductor tracks running between the signal transmitter and the signal receiver, a drive and evaluation device connected to the signal transmitter and to the signal receiver, a covering applied on the substrate, and a switching apparatus having a first switching state enabling a capacitive measurement and a second switching state enabling detection of damage to the shield, selecting one of the first and second switching states with the drive and evaluation device, applying a respective signal to the at least two conductor tracks with the transmitting device, evaluating a signal received by the signal receiver with the drive and evaluation device, and if the evaluation of the signal by the drive and evaluation device produces an unexpected result, then initiating a function change of the integrated circuit, and if the evaluation of the signal by the drive and evaluation device produces an expected result, repeating the selecting, applying and evaluating steps.
Other features that are considered as characteristic for the invention are set forth in the appended claims.
Although the invention is illustrated and described herein as embodied in an apparatus for protecting an integrated circuit formed in a substrate and a method for protecting the integrated circuit against reverse engineering, it is, nevertheless, not intended to be limited to the details shown because various modifications and structural changes may be made therein without departing from the spirit of the invention and within the scope and range of equivalents of the claims.
The construction and method of operation of the invention, however, together with additional objects and advantages thereof, will be best understood from the following description of specific embodiments when read in connection with the accompanying drawings.