U.S. patent application number 12/230909 was filed with the patent office on 2009-03-12 for smart-card chip arrangement.
This patent application is currently assigned to SEIKO EPSON CORPORATION. Invention is credited to Simon Moore, Philip C. Paul, Simon Tam.
Application Number | 20090065591 12/230909 |
Document ID | / |
Family ID | 38658825 |
Filed Date | 2009-03-12 |
United States Patent
Application |
20090065591 |
Kind Code |
A1 |
Paul; Philip C. ; et
al. |
March 12, 2009 |
Smart-card chip arrangement
Abstract
A smart-card chip arrangement includes a smart-card chip, an
organic conductive layer disposed on a surface of the chip, and
signal-deriving means for deriving a signal dependent on one or
more properties of the organic conductive layer. The organic
conductive layer and the signal-deriving means are configured such
as to detect an invasive attack on the chip. By this means the
unauthorized detection of a cryptographic key, which is employed by
the chip, can be prevented.
Inventors: |
Paul; Philip C.;
(Cambridgeshire, GB) ; Tam; Simon;
(Cambridgeshire, GB) ; Moore; Simon;
(Cambridgeshire, GB) |
Correspondence
Address: |
OLIFF & BERRIDGE, PLC
P.O. BOX 320850
ALEXANDRIA
VA
22320-4850
US
|
Assignee: |
SEIKO EPSON CORPORATION
Tokyo
JP
CAMBRIDGE ENTERPRISE LTD
Cambridge
GB
|
Family ID: |
38658825 |
Appl. No.: |
12/230909 |
Filed: |
September 8, 2008 |
Current U.S.
Class: |
235/492 |
Current CPC
Class: |
G06K 19/07381 20130101;
G06F 21/87 20130101; G06F 21/77 20130101 |
Class at
Publication: |
235/492 |
International
Class: |
G06K 19/073 20060101
G06K019/073 |
Foreign Application Data
Date |
Code |
Application Number |
Sep 12, 2007 |
GB |
0717783.5 |
Claims
1. A smart-card chip arrangement, comprising: a chip having a first
pad, a second pad and a control circuitry; and an organic material
film positioned on a surface of the chip so that the organic
material film is coupled to the first and second pads, the control
circuitry being configured to provide an operating signal to the
organic material film via the first and second pads.
2. The smart-card chip arrangement according to claim 1, the
organic material film being an organic semiconductor film.
3. The smart-card chip arrangement according to claim 2, the
organic semiconductor layer being composed of a material from a
group consisting of F8T2, P3HT and pentacene.
4. The smart-card chip arrangement according to claim 1, the
organic material film being an organic conductive polymer.
5. The smart-card chip arrangement according to claim 4, the
organic conductive polymer being composed of a material from a
group consisting of PEDOT and PSS.
6. The smart-card chip arrangement according to claim 1, the
organic material film being a layer covering at least those areas
of the chip containing circuitry, which, if invaded, could lead to
the detection of a cryptographic key employed by the chip.
7. The smart-card chip arrangement according to claim 1, further
comprising: an insulating film positioned between a part of the
chip and a part of the organic material film.
8. The smart-card chip arrangement according to claim 7, the
insulating film having a first portion and a second portion, a
thickness of the first portion and a thickness of the second
portion being different.
9. The smart-card chip arrangement according to claim 7, a surface
of the insulating film being uneven compared to a surface of the
chip.
10. The smart-card chip arrangement according to claim 7, further
comprising: a passivation film covering the organic material
film.
11. The smart-card chip arrangement according to claim 7, the
organic material film having a spiral shape.
12. The smart-card chip arrangement according to claim 7, the
organic material film having a wave-like shape.
13. A smart-card chip arrangement, comprising: a chip having a
first pad and a second pad; an organic material film coupled to the
first and second pads; and an insulating film positioned between a
part of the chip and a part of the organic material film, the
insulating film having a concavoconvex surface.
14. A smart-card chip arrangement, comprising: a chip having a
first pad, a second pad, a third pad and a fourth pad; a first
organic material film disposed on the chip, the first organic
material film being coupled to the first and second pads; and a
second organic material film disposed on the chip, the second
organic material film being coupled to the third and fourth
pads.
15. A smart-card comprising: the smart-card chip arrangement
according to claim 1; and an encapsulating material covering at
least the organic material film of the smart-card chip arrangement.
Description
BACKGROUND OF THE INVENTION
[0001] An aspect of the present invention relates to a smart card
chip arrangement and a method for protecting a smart-card chip
arrangement from unauthorized tampering.
[0002] Smart cards are used for a multitude of applications and, in
order to protect the user or provide identification for the
relevant application, they generally perform some form of
encryption or decryption. To this end, a secret key is stored on
the chip to render the cryptographic function unique. Attacks from
unauthorised parties aim to retrieve this secret key and hence
allow the attacker to duplicate or otherwise misuse the smart card.
There are two classes of attack: non-invasive and invasive. The
present invention is able to find a solution to the latter.
[0003] Invasive attacks on smart cards are performed by partially
or completely removing the packaging of the microchip of the smart
card. The depackaging step may be achieved using acids, solvents,
laser cutters, or chemical mechanical polishing. A comprehensive
description of the various techniques employed is given in the
paper "Design Principles for Tamper-Resistant Smartcard Processors"
by Oliver Kommerling and Markus Kuhn, Proc. of the USENIX Workshop
on Smartcard Technology, Chicago, 10-11 May, 1999, pp. 9-20. Once
the microchip has been depackaged, attacks are conducted by probing
metal tracks. A focus ion beam (FIB) technique could be employed to
drill fine holes in the insulating layer in order to expose fine
metal tracks without disturbing other components.
[0004] A standard countermeasure against invasive attacks is to
cover the chip surface with a metal protection grid. More
specifically, the topmost metal layer of the microchip is patterned
to cover the chip with a meandering grid. This grid prevents access
to the circuitry below and also shields the chip circuitry from
electromagnetic emissions, which may leak sensitive information
(see, e.g., the Dallas DS5002FPM secure microprocessor). Damage to
the protection grid is detected, which triggers an alarm and thus
causes the chip to refuse further operation.
[0005] A second method for protecting the encryption keys is to
randomly distribute small particles directly into the packaging of
the microchip. The cryptographic key is then derived from measuring
the distribution of these particles. To achieve this, the chip
includes sensors that are sensitive to at least one physical
property of the particles (e.g. magnetism). If the packaging is
damaged or removed, the encryption key is lost. This structure is
the subject of U.S. Pat. No. 7,005,733 by Kommerling et al.
[0006] A drawback with the use of metal protection grids is that
the depackaging procedure leaves the protection grid intact.
Generally speaking, it is necessary to actively break the metal
protection grid in order to trigger the alarm. However, since the
feature size of the metal grid is much bigger than what the FIB can
achieve, it is highly likely that the grid will be unable to
provide sufficient protection (as demonstrated by Kommerling and
Kuhn in the above-mentioned paper). A small hole can be excavated
between grid lines to expose signal wires for probing by the
attacker, without triggering the alarm.
[0007] As regards the particle-distribution technique, this
solution is elegant in principle, but requires a multitude of
sensors to be positioned on the chip surface. This is expected to
consume significant area on the chip and complicate routing, not
least because metal wires running above a sensor will shield it
from the relevant property of the packaging, thereby defeating the
purpose.
BRIEF SUMMARY OF THE INVENTION
[0008] In accordance with a first aspect of the present invention
there is provided a smart-card chip arrangement, comprising: a
smart-card chip; an organic conductive layer disposed on a surface
of the chip; and signal-deriving means for deriving a signal
dependent on one or more properties of the organic conductive
layer; wherein said organic conductive layer and said
signal-deriving means are configured such as to detect an invasive
attack on said chip.
[0009] The organic conductive layer may be an organic semiconductor
layer, which may be composed of a material from a group consisting
of F8T2, P3HT and pentacene. Alternatively, or additionally in
another region of the chip, the organic conductive layer may be an
organic conductive polymer. Such an organic conductive polymer may
be composed of a material from a group consisting of PEDOT and
PSS.
[0010] The organic conductive layer may be a layer covering at
least those areas of the chip containing circuitry, which, if
invaded, could lead to the detection of a cryptographic key
employed by the chip. It may be constituted as a strip of organic
conductive material arranged in a meandering pattern on said chip
surface. The meandering pattern may be a spiral or a wave-like
shape.
[0011] The organic conductive layer may be provided as two or more
layers separated by an insulative layer. Viewed looking down onto
said organic conductive material, the meandering pattern of one of
said layers may at least partially overlap the spaces inside the
meandering pattern of another of said layers.
[0012] The meandering pattern may comprise first and second
castellated strips of the organic conductive material, the first
and second castellated strips each comprising first strip sections,
which are formed in one of the two layers and are extensive in a
direction substantially orthogonal to the general direction of the
meandering pattern, and second strip sections, which are formed in
the other of the two layers, are extensive in substantially the
general direction of the meandering pattern and link neighbouring
ends of the first strip sections.
[0013] The meandering pattern may be in discrete sections, said
discrete sections being associated with respective said
signal-deriving means. Alternatively, the meandering pattern may be
in one continuous length.
[0014] Advantageously, a surface of said organic conductive layer
facing away from said chip may vary in height above said chip
surface over at least part of the extent of the organic conductive
layer. There may be an insulative layer disposed between said chip
surface and said organic conductive layer, wherein said insulative
layer varies in thickness over at least part of the extent of the
organic conductive layer.
[0015] The signal-deriving means may be configured such as to apply
a first electrical quantity to one part of said organic conductive
layer and to detect a second electrical quantity at another part of
said organic conductive layer, said second electrical quantity, or
differences between said first and second electrical quantities,
being due to the application of said first electrical quantity and
being determined by properties of said organic conductive layer,
and to compare said second electrical quantity or said differences
with a reference electrical quantity or reference differences,
respectively.
[0016] The first electrical quantity may be a voltage or a current,
and said control means may be configured such as to detect a time
delay with which said voltage or current appears at said another
part of said organic conductive layer, said time delay being
compared with a reference time delay characterizing said smart-card
chip arrangement in an uninvaded state thereof.
[0017] The first and second electrical quantities may be first and
second waveforms, respectively, and said control means may be
configured to compare said second waveform, or differences between
said first and second waveforms, with a reference second waveform
or reference differences, respectively, characterizing said
smart-card chip arrangement in an uninvaded state thereof.
[0018] The signal-deriving means may be configured to determine a
transfer function of said organic conductive layer and to compare
said transfer function with a reference transfer function
characterizing said smart-card chip arrangement in an uninvaded
state thereof.
[0019] The signal-deriving means may be configured to apply a
voltage or a current to one part of said organic conductive layer,
and to detect a time delay with which said voltage or current
appears at another part of said organic conductive layer, said
control means comprising combining means for combining said
detected time delay with reference data, thereby to provide a
cryptographic key employed by the chip, and comparing means for
comparing said cryptographic key with a cryptographic key obtained
in an uninvaded state of said smart-card chip arrangement.
[0020] There may be two of said organic conductive layers and said
signal-deriving means may comprise: a signal-input means for
inputting an input signal to one part of each of said organic
conductive layers; a signal-output means for outputting an output
signal from another part of each of said organic conductive layers;
a first comparison means for forming a first comparison between
said output signals, and a second comparison means for forming a
second comparison between the results of the first comparison and a
reference signal held in a memory.
[0021] The first comparison means may be a difference-determining
means for forming a difference between said output signals, or a
dividing means for forming a ratio of said output signals.
[0022] The organic conductive layers may be in different layers
with an insulative layer therebetween, said organic conductive
layers at least partially overlapping each other. Alternatively, or
additionally, the organic conductive layers may be side-by-side in
the same layer.
[0023] In a second aspect of the present invention, a smart card is
provided comprising a smart-card chip arrangement as described
above.
[0024] The invention further provides, in a third aspect thereof, a
method for protecting a smart-card chip arrangement from
unauthorized tampering, said smart-card chip arrangement
comprising: a smart-card chip protected by a cryptographic key, and
an organic conductive layer disposed on a surface of the chip; said
method comprising the steps of: performing a self-characterization
process, in which an initial signal dependent on one or more of the
initial properties of said organic conductive layer before
tampering is derived; performing one or more subsequent tests on
said smart-card chip arrangement in order to derive subsequent
signals dependent on said one or more of the properties of said
organic conductive layer; comparing said subsequent signals with
said initial signal, and, if said subsequent signals differ
substantially from said initial signal, providing to said chip a
signal indicative of said tampering.
[0025] A fourth aspect of the present invention features a method
for protecting a smart-card chip arrangement from unauthorized
tampering, said smart-card chip arrangement comprising: a
smart-card chip protected by a cryptographic key, and an organic
conductive layer disposed on a surface of the chip; said method
comprising the steps of: establishing an initial value of said key
before tampering, said value being dependent on determined
properties of said organic conductive layer; performing one or more
subsequent tests on said smart-card chip arrangement in order to
reassess the value of said key; comparing said reassessed key-value
with said initial key-value, and, if said reassessed key-value
differs from said initial key-value, providing to said chip a
signal indicative of said tampering.
[0026] Either of these methods may include the further step of
using said tampering-indicative signal to prevent the reading of
said cryptographic key.
[0027] The initial value of the key may be established from a
combination of a parameter, which is dependent on said determined
properties, and a predetermined pre-key component. The parameter
may be a response time of said organic conductive layer to an input
signal applied to said organic conductive layer.
BRIEF DESCRIPTION OF THE DRAWINGS
[0028] Embodiments of the invention will now be described in detail
purely by way of example, with the aid of the attached drawings, of
which:
[0029] FIG. 1 is a side view of a first embodiment of a smart-card
chip arrangement in accordance with the invention;
[0030] FIG. 2 is a block diagram of a control arrangement
associated with the first embodiment;
[0031] FIG. 3 is a block diagram of a control arrangement
associated with a second embodiment of the invention;
[0032] FIG. 4 is a block diagram of a control arrangement
associated with a third embodiment of the invention;
[0033] FIG. 5 is a flowchart showing the mode of operation of the
first two embodiments;
[0034] FIG. 6 is a flowchart showing the mode of operation of the
third embodiment;
[0035] FIG. 7 is a side view of a smart-card chip arrangement in
accordance with the invention in a variant thereof;
[0036] FIG. 8 is a side view of a smart-card chip arrangement in
accordance with the invention in a further variant thereof;
[0037] FIGS. 9(a) and 9(b) provide top and side views,
respectively, of a smart-card chip arrangement in accordance with a
still further variant thereof;
[0038] FIG. 10 is a block diagram of a control arrangement
associated with a fourth embodiment of a smart-card chip
arrangement in accordance with the invention;
[0039] FIGS. 11(a) and 11(b) are top views of a fifth embodiment of
a smart-card chip arrangement in accordance with the invention;
and
[0040] FIGS. 12(a), 12(b) and 12(c) are top views of a sixth
embodiment of a smart-card chip arrangement in accordance with the
invention;
DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION
[0041] The smart-card arrangement proposed by the present inventors
is based on the use of an organic conductive protection layer,
which may be composed of a conductor or a semiconductor material
and is preferably disposed in a grid pattern, as are the known
metallic protection layers. Organic materials are damaged by all of
the depackaging techniques that are currently employed and can
therefore provide excellent protection against tampering.
Furthermore, a preferred embodiment of the invention deposits the
organic protection layer as a back-end process--that is, the
structure is made after the chip has been fabricated. This means
that a standard smart-card chip can be obtained and the organic
protection layer deposited on a surface of this standard chip.
Since therefore minimal changes have to be made to the chip itself,
costs are reduced.
[0042] Furthermore, by using inkjet or similar deposition or
patterning techniques, it is possible to dynamically vary the
structure of the protection layer (grid) without significantly
increasing fabrication costs, since it is not necessary to use
lithography masks. Individual chips of the same fabrication run can
be structured differently, which has the advantage of making
reverse-engineering and spoofing (the mimicking of protection-grid
behaviour by an attacker) much more difficult. This flexibility is
not available when using metal protection grids.
[0043] A wealth of organic materials are known, which are suitable
for use as the protection layer. The most commonly used materials
for this function are PEDOT (poly(3,4-ethylenedioxythiophene)),
which is a conductive polymer material usually doped with PSS
(poly(stryenesulfonate)), and F8T2
(poly(9,9-dioctylfluorenyl-2,7-dyl)-co-bithiophene)) or P3HT
(poly(3-Hexylthiophene)), both of which are semiconducting
materials. All three of these materials are readily deposited by
inkjet techniques and are therefore particularly suitable for use
in the present invention. A further material, pentacene, is a
semiconducting molecular material, which is usually deposited by
thermal evaporation under vacuum conditions. It is also possible to
deposit liquid precursors and subsequently anneal the precursors to
form pure pentacene. This material may also be used for the
semiconducting structures of the protection layer. In addition, PVP
(poly(4-vinylphenol)) is an insulating polymer that can be used as
a topography-forming layer or as an interfacial insulator or a
passivation layer. The use of such layers is discussed later.
[0044] The above list of materials is by no means exhaustive, there
being others that may equally well be used in the present
application.
[0045] It is preferred that the organic protection layer be
combined with an outer layer (e.g. a resin) to form a packaging
layer enclosing the overall device (e.g. a smart card), such that,
when the packaging layer is damaged during a tampering process or
an invasive attack, the organic material is destroyed or degrades
to such an extent that the process or attack is detected
electronically.
[0046] In general, to provide good protection, the protection layer
must be sure to be damaged in an attack and its integrity must be
easily verifiable. Ideally also, any signalling that takes place
must be difficult to mimic by an attacker. The protection layers
provided by the various embodiments of the present invention
attempt to meet these criteria.
[0047] A first embodiment of a smart-card chip arrangement in
accordance with the invention is illustrated in FIGS. 1 and 2. In
FIG. 1 a smart-card chip 10, which may be a standard chip supplied
by a suitable supplier, has applied to its upper surface a single
organic conductive layer 12. The organic conductive layer 12,
which, as already stated, may have conducting or semiconducting
properties, is applied as a strip of material in a grid
configuration over the upper surface of the chip 10. This strip is
connected at its two ends to respective bond pads 14, 16, which in
turn are connected to suitable control circuitry located on the
chip. The control circuitry provides operating signals for at least
indirectly assessing the properties of the organic layer.
[0048] In this embodiment the layer is used as an RC
(resistor-capacitor) delay line and the control circuitry feeds a
pulse into one end of the delay line and measures the time it takes
for the pulse to reach the other end. An alarm is triggered if the
response time changes. Such a change in response time could result
from a tampering attempt, which alters the electrical properties of
the layer, and thereby the delay time. A block diagram of this
control arrangement is shown in FIG. 2. In FIG. 2 a waveform
generator 20 supplies a voltage or current pulse to the bond pad 14
shown in FIG. 1 and the voltage/current on the other bond pad 16 is
monitored by a detector circuit 22. The protection layer 12 is
shown in FIG. 2 as a simple RC network. A timer 24 is also
provided, which is started by the appearance of the pulse from the
waveform generator 20 and is stopped by the appearance of the
delayed pulse as detected by the detector 22. The delay time
measured by the timer is then compared in a comparator 26 with a
predetermined reference delay value stored in a non-volatile memory
28, which is directly integrated in the chip circuitry in the form
of an embedded non-volatile memory or ROM. The memory is preferably
of the write-once variety for reasons to be explained later. An
example of a write-once memory is described in U.S. Pat. No.
6,804,136 by L. Forbes. If the two delay times are substantially
identical, then the comparator outputs a "PASS" signal, otherwise a
"FAIL" signal is output. These two signals are represented by a
logic HIGH/LOW signal (in either order) at the output of the
comparator.
[0049] A second embodiment of the invention is depicted in FIG. 3.
This embodiment likewise makes use of the single organic-layer
arrangement shown in FIG. 1, but in this case applies not a single
pulse to the protection layer at pad 14, but a waveform from a
random waveform generator 30, which may be, e.g., a pseudo-random
waveform generator. A detector 32 detects the waveform on the pad
16 of the protection layer and takes snapshots of this waveform at
discrete moments in time. These snapshots are then compared with a
reference profile stored in a memory 34, which as before is
preferably a write-once non-volatile memory mounted directly on the
chip. Again, if the two values substantially agree, a "PASS" signal
is output from the detector 32, whereas if they differ, a "FAIL"
signal is output. As with the first embodiment, any attempt to
invade the smart-card chip will result in damage done to the
protection layer, which in turn changes the electrical properties
of this layer. This affects the values of the snapshots taken by
the detector 32. An advantage of this arrangement is that the times
at which the snapshots are taken may be made to vary. This is
acceptable, provided the same variation is employed each time the
protection layer is "read". Since an attacker is unlikely to know
the pattern of this variation, a degree of protection against
spoofing is provided. Furthermore, the variation in the snapshot
times may be different for different smart-card chips, which
provides even greater protection.
[0050] The detector 32 in FIG. 3 is preferably configured to form a
measurement of the impedance or transimpedance of the RC network
between the pads 14 and 16. Thus, either the random waveform
generator 30 delivers a current and the resulting voltage on pad 16
is read, or vice-versa. In either case the detector forms the
quotient of these two quantities.
[0051] A third embodiment of the present invention is shown in FIG.
4. In this embodiment the protection layer is once again considered
as a delay line, just as in the first embodiment. However, in this
instance the comparator 26 shown in FIG. 2 is replaced by a
"transform logic" circuit 40 and the memory 28 contains not
reference delay-time values, but a number of pre-key bits. These
pre-key bits may be predetermined values or may be purely random.
Transform logic circuit 40 combines these pre-key bits with the
delay time output by the timer 24 and delivers at its output a
number of key bits, which together function as the cryptographic
key for the smart card. This key will change if the protection
layer is damaged, e.g. as a result of tampering or an attack, since
the layer's electrical properties will change, which will change
the delay time registered by the timer 24, and consequently also
the key bits output by the transform logic circuit 40.
[0052] To derive the encryption key from the delay time and pre-key
bits, the analogue delay time detected by the timer 24 must be
digitised. This may be achieved either by counting the number of
clock cycles the signal takes to reach a certain threshold at the
receiving end of the delay line, or by using a digital-to-analogue
converter (DAC). The voltage at the input of the DAC is converted
to a digital signal after a fixed time, which is chosen such that
it coincides with charging of the receiving node (i.e. when the
pulse reaches the far end, and the voltage has not yet reached its
steady state). The number of bits constituting the delay time will
vary, depending on the achievable accuracy. To increase accuracy,
it may be necessary to compensate for environmental conditions such
as ambient temperature. Depending on the materials employed, the
conductivity of the protection layer will vary--usually the
conductivity increases with temperature. The capacitance, however,
will remain fixed, resulting in shorter delay times. Compensation
can be simply achieved by providing a temperature sensor on the
chip (e.g. a diode--temperature sensors are readily available for
CMOS technology) and a lookup table containing the compensation
coefficients. For best spread of output key values, a hash function
may be used to derive the actual encryption key from both inputs.
As is well known, a hash function is a complex function that
combines data in such a way that a change in a single value changes
the result significantly. It is also a one-way function--i.e. the
original values cannot be derived from the result.
[0053] The reliability level afforded by this third embodiment is
higher than that afforded by either of the first and second
embodiments. This is because, whereas the first and second
embodiments provide a single-bit test decision only (i.e. an
indication of "PASS" or "FAIL"), in the third embodiment the test
result forms the cryptographic key. An incorrect cryptographic key
results in failure of the smart card device without the need for
pass/fail signals and associated circuitry (that could likewise be
tampered with).
[0054] The mode of operation of the first two embodiments is
illustrated in the flowchart of FIG. 5. It is assumed first of all
that the delay time (first embodiment) or waveform snapshot values
(second embodiment) have been determined in an initial test carried
out before the smart-card chip is issued and put to use, and that
this time or these values have been saved to the write-once
non-volatile memory. This initial procedure might be termed a
self-characterizing phase. After this self-characterizing phase, a
dedicated memory cell is used to flag successful initialization of
the memory and allow the chip to function normally. During
subsequent use of a smart card containing such a chip, the card is
inserted into a reader and is powered on (step S100), allowing the
control circuitry illustrated in FIG. 2 or FIG. 3 to operate.
Before a transaction is carried out (such a transaction may be, for
example, the withdrawal of funds where the card is a bank card of
some kind), and assuming the flag mentioned earlier has been set, a
subsequent test is carried out on the protection layer (step S102)
using either the delay-line principle or the waveform-snapshot
principle described in connection with FIGS. 2 and 3, respectively.
A decision is then made as to whether or not the protection layer
is intact (see step S104). If it is (i.e. an output signal "PASS"
is delivered), then the requested transaction is performed (step
S106), e.g. the funds are withdrawn. On completion of the
transaction the smart-card chip arrangement goes into a standby
mode (step S108) in readiness for a possible further transaction.
Should no further transaction be desired, the card will be removed
from the reader, resulting in removal of power from the card.
Should a "FAIL" signal be output by the comparator 26 or detector
32 in FIGS. 2 and 3, respectively, then the transaction is
disallowed (step S110). This will trigger a suitable alarm,
advising the user (which in this case may be the attacker rather
than the authorised card user) of such disallowal and preferably
also alerting the user to the possibility that tampering has
occurred and that the card's security has been compromised.
Preferably also, the control circuitry of the smart-card chip
arrangement will erase the memory containing the cryptographic key
of the chip, so that there is no possibility that the key could be
hacked in any subsequent attack on the same card.
[0055] It is possible that an attacker could successfully unset the
afore-mentioned flag, in which case the self-characterization
routine will be restarted. In that event, the tampered-with
protection layer will be read and its resulting characteristics
taken to be the original initial ones, leading to the possibility
that the attacker could use the card to withdraw funds, etc. It is
under these circumstances that the use of a write-once memory is
beneficial, since the new self-characterizing values cannot be
written to the memory. Thus the characteristic values of the
damaged protection layer will not match the characteristic values
stored in memory, leading to a "FAIL" indication, as mentioned
earlier.
[0056] FIG. 6 shows the corresponding sequence of events for the
third embodiment shown in FIG. 4. Before a card containing the
smartcard chip is issued, the protection layer is "read" by
determining its response to an input pulse. This is the
pre-characterizing phase. As already explained, this response is in
the form of a delay time, which is used in conjunction with a set
of pre-key bits in non-volatile memory 28 to derive the
cryptographic key for the chip at the output of the transform logic
circuit 40. Subsequently, when the smartcard is used, it is
inserted into a card reader, which powers on the card (step S120).
The protection layer is then re-read in a characterisation step
(S122), which derives the key once again (step S124) based on the
updated properties of the protection layer. If those properties
remain the same, the key will remain the same, indicating that the
layer has not been damaged and so tampering has not occurred.
Consequently, the transaction (e.g. the withdrawal of funds) can
proceed (step S126). Once the transaction has been completed, the
control circuitry of the smart-card chip arrangement remains idle
in readiness for another transaction. In the event the layer is not
intact, the key will not match the originally derived key and
therefore the user, which again may well be the attacker or
tamperer, will be unable to go through with the requested
transaction. In this manner the bank account, for example, of the
card holder is protected from fraudulent withdrawal.
[0057] In all these embodiments, the organic protection layer also
provides some degree of shielding for the various signals arising
from the operation of the smart-card chip. This is important if the
risk of attack is to be reduced. The effectiveness of this
shielding will dependent to some extent on how large the gaps are
in the grid structure of the layer. The protection layer will carry
its own signals, of course, which can escape to the outside. It is
envisaged that additional protective measures, such as the
provision of one or more dedicated shielding layers, may be
provided in order to mitigate this drawback.
[0058] A refinement of the embodiments just described will now be
explained with the aid of FIG. 7. FIG. 7 shows essentially the same
smart-card chip arrangement shown in FIG. 1, but this time the
semiconductor layer 12 is not applied directly to the surface of
the chip 10, but is applied to an insulation layer 50, which has
first been applied to the chip surface. The insulation layer 50 is
deliberately made uneven in its topography, as can be clearly seen
in FIG. 7. In other words, it assumes different depths at different
points on the chip surface. Consequently, should an attacker decide
to employ a chemical mechanical polishing (CMP) technique in order
to gain access to the chip circuitry, this will remove the higher
parts of the semiconductor layer, thereby damaging this layer and
altering its characteristics. These changes in characteristics are
picked up using one of the methods already described in connection
with the first, second and third embodiments, thereby protecting
the chip key from unauthorised discovery. This refinement has the
advantage that the CMP-based tampering can be detected before the
shielding properties of the layer are degraded significantly.
[0059] A further refinement involves the addition of a further
layer, which enhances the damage done to the protection layer. An
example of this is shown in FIG. 8, which includes in addition to
the topographical insulation layer 50 shown in FIG. 7 a passivation
layer 52 disposed directly on top of the organic protection layer
12. A further layer 54 is provided, which encapsulates the chip
arrangement and is of a material conventionally employed for this
purpose, e.g. a plastics or resin material. The material of layer
52 is chosen so that its removal requires techniques which
efficiently damage the organic layer--for example, the acid-based
removal technique. Alternatively, layer 52 may be so tightly bound
to the protection layer, that the latter is automatically damaged,
destroyed or removed when the former is attacked.
[0060] A particularly advantageous variant of the embodiments so
far described involves the use of multiple organic protection
layers on the same chip. FIGS. 9(a) and 9(b) show top and side
views, respectively, of such an arrangement, in which an upper
organic protection layer 60 is disposed above a lower organic
protection layer 62, the two layers being separated by an
intervening insulating layer 64. Both protection layers are in the
form of an organic conductor strip, which follows a wave-like
configuration over at least an area of the chip containing
sensitive circuitry, attacks on which could result in discovery of
the cryptographic key. Although the size of the gap between the
grid lines can be made very small (sub-hundred nanometer
dimensions, typically), it is desirable to reduce the gap still
further in order to be sure of detecting an attack. In the FIG. 9
arrangement this is achieved by arranging for the lower strip to
fill in the gaps left by the upper strip, and vice-versa.
Consequently, an attack at any part of the protection-layer
arrangement will show itself as a change in the characteristics of
at least one of the two layers, leading to a "FAIL" result in the
tests carried out in, for example, FIGS. 5 and 6. Indeed, the two
layers can be made to co-operate by monitoring the appearance of a
signal between the two layers, such a signal indicating that a
short-circuit has taken place, possibly through tampering. Thus a
detector could be provided with inputs connected to points A and B,
for example. A signal on both inputs would indicate tampering and
result in a "FAIL" indication in the control circuitry, as
described earlier.
[0061] For the sake of completeness, FIG. 9(a) shows not only the
protection-layer arrangement, but also more peripheral parts of the
chip package containing the various bond-pads required for the
operation of the chip. It should be noted that the various
component parts of this drawing are shown in representative fashion
only and are not limited to the actual relative dimensions
shown.
[0062] The use of at least two separate protection layers allows
the use of a fourth embodiment of the invention, which is
illustrated in FIG. 10. In this embodiment a first organic
protection layer, which is modelled as an RC network 70 in FIG. 10,
is formed as a lower layer (e.g. the layer 62 in FIG. 9), while a
second organic protection layer, which is modelled as an RC network
72 in FIG. 10, is formed as an upper layer (the layer 60 in FIG.
9). Both layers are tested for their time-delay in response to a
pulse input from a generator 74, these time delays being detected
by respective timers 76, 78, which receive input signals from
respective signal detectors 80, 82. In addition a memory 84 has
stored therein the value of a reference time delay. So far the
testing circuit for each layer in FIG. 10 resembles that shown in
FIG. 2 for testing the single layer shown in FIG. 1. An additional
component in FIG. 10, however, is a processor circuit 86, which
takes as its inputs the outputs of the timers 76 and 78 and the
output of the memory 84.
[0063] The processor circuit 86 compares the characteristics of the
two layers, so that any significant relative change in
characteristics is taken to indicate the occurrence of an attack.
The initial testing phase of this embodiment will assess the
"correct" (i.e. "untampered") time-delay difference between the two
layers and place that in the memory 84 as the reference value. In
subsequent tests, in the event that no tampering or 20 attack has
taken place, the difference in time delays will remain unaltered,
providing a "PASS" decision at the output of the processor circuit
86. On the other hand, where one of the layers has been tampered
with, the delays will be appreciably different, providing a "FAIL"
decision at the processor-circuit output. It may be possible, by
strict control of the deposition conditions of the two organic
layers, for the electrical characteristics--and hence the time
delay--of the two layers to be almost identical. In that case, the
reference value in the memory 84 will be ideally zero or, more
realistically, a narrow spread of values in view of the small
finite difference in the characteristics of the two layers. Any
difference value outside the reference value will result in a
"FAIL" signal at the output of the processor circuit 86, otherwise
a "PASS" indication is given. Instead of a zero time delay, other
reference values may be stored in the memory 84. Two possibilities
are a fixed ratio of delays or a fixed absolute time-delay
difference.
[0064] This embodiment assumes that an attack will affect the outer
layer (see RC network 72) in preference to the inner layer (see RC
network 70), so that a difference between their characteristics
does arise. If an attack took place while the smart-card was
powered up, it would be easy to detect a relative change in the
characteristics of the two layers, provided sampling of the inner
layer took place sufficiently quickly after the sampling of the
outer layer--i.e. during the time in which the attack was taking
place. However, an attack is far more likely to occur with the card
not powered up. In that case, the present invention envisages the
detection of not only relative changes between the layers, but also
of absolute changes--for example, by using as an additional
reference value an absolute value of delay. Thus, although, if both
layers were roughly equally affected by an attack, a sufficiently
great relative change might not be detected, it is very likely that
the delay times of both layers will have increased beyond the
absolute maximum reference-time value. This would be detected and
the necessary protection provided.
[0065] An advantage of the fourth embodiment is that the
differential configuration cancels out the effect of parasitic
environmental influences, e.g. temperature variations or
fluctuations in the chip supply voltage.
[0066] As an alternative to configuring the differential
arrangement of FIG. 10 as a dual-layer arrangement, as in FIGS.
9(a) and 9(b), it is possible to configure it as a side-by-side
arrangement of the two organic protection structures. In that case,
care must be taken to ensure that any attack results in a change in
one of the layers in preference to the other layer. One way of
doing this is to employ the topographical insulation layer
arrangement of FIG. 7 in different ways for the two protection
layers. This may be easily achieved by, e.g., the inkjet printing
of a PVP insulator to form different topographical features. Thus,
if an attacker uses mechanical means of depackaging, one structure
will be damaged before the second structure. Alternatively, if one
of the two protection structures is pre-treated with a material
likely to be used for depackaging (e.g. PEDOT/PSS treated with
HC1), then a depackaging attempt will only significantly affect the
untreated protection structure. The use of hydrochloric acid, such
as to result in a significant change in conductivity, is discussed
in "Chemical and thermal treatment of PEDOT:PSS thin films for use
in organic light emitting diodes, Surface and Coatings Technology",
T. P. Nguyen, Volumes 180-181, Proceedings of Symposium G on
Protective Coatings and Thin Films-03, of the E-MRS 2003 Spring
Conference, 1 Mar. 2004, Pages 646-649.
[0067] One possible way of configuring two or more different
protection layers side-by-side on the same chip is shown in FIG.
11(a). In FIG. 11(a), which constitutes a fifth embodiment, a
series of protection-layer bond-pads 90, 92, 94, 96, 98 and 100 are
provided and these are connected to the ends of separate sections
102, 104, 106 and 108 of an organic protection layer. Section 102
lies between pads 90 and 92, section 104 between pads 94 and 96,
section 106 between pads 90 and 96 and section 108 between pads 98
and 100. Any two of these sections could be used in the
differential arrangement of FIG. 10. Indeed, all of them could be
so used, though this would render the determination of the value to
be placed in the memory 84 in FIG. 10 more complex.
[0068] If all sections are used, one method is to compare different
pairs of sections with each other. Thus, the characteristics of
sections 102 and 104 could be compared with each other against a
reference value, as could also the characteristics of sections 106
and 108. Then either the two results of these comparisons could be
used separately as a kind of backup indication of card integrity,
or they themselves could be compared with each other to yield a
single comparison result, which is used to determine card
integrity. When all of the sections are compared with each other
directly to yield a single comparison result, one possibility is to
form an average characteristic value for the four different
sections, and to then compare this value with a single reference
value.
[0069] In FIG. 11(b) exactly the same pad layout is employed, but
this time there is a different arrangement of the protection-layer
sections between those pads. In the FIG. 11(b) arrangement the
various sections are not separated, but are intermixed. This is
another advantage of the invention, in that any number of different
protection-layer patterns can be provided for different chips,
while retaining the same basic pad layout, thereby making it more
difficult for an attacker to predict the characteristics of the
protection layers. Indeed, it is even possible to have different
layouts for chips of the same batch. This would be difficult to
achieve in the conventional metal-grid designs.
[0070] In the FIG. 11 arrangements, it is possible to employ as the
initial pre-characterising phase either the delay-time testing
procedure of the first embodiment (FIG. 2) or the I/V testing
procedure of the second embodiment (FIG. 3). As already explained
above in connection with FIG. 11(a), these procedures will yield a
series of values for the different permutations of the signal paths
associated with the various sections of the protection layer.
Either all of these values can be stored in memory as reference
values, or they could be combined by the use of some algorithm so
as to yield a single reference value, which is stored. For example,
a hash value could be used, which was based on a combination of the
individual delay times, or the hash value of the relative
proportions of delay times could be employed together with the
total delay time. The benefits of using a hash value have already
been explained earlier in connection with FIG. 4.
[0071] A further kind of pattern, which may be employed, is shown
in FIG. 12(a). This is a sixth embodiment of the invention, in
which the pattern is a spiral instead of a wave pattern, as shown
in FIG. 9 and FIGS. 11(a) and 11(b). The track forming this pattern
can either be in single-layer form or multi-layer form. With the
single-layer form, a contact pad 120 is connected to an outer end
of the spiral, while a second contact pad 122 is connected to its
inner end.
[0072] A two-layer version of this arrangement is illustrated in
FIGS. 12(b) and 12(c). FIG. 12(b) shows the constitution of an
outer end-section 124 of the spiral, in which this end-section is
composed of two interleaved patterns in two layers with vias
joining the two layers. It is expedient to employ printed vias, as
detailed in the paper "Inkjet Printing of Via Holes" by T. Kawase,
H. Sirringhaus, R. H. Friend and T. Shimoda, in "Inkjet Printed
Via-Hole Interconnections and Resistors for All-Polymer Transistor
Circuits", Advanced Materials, 2001, 13, pages 1601-1605. The lower
ends A, B of the pattern correspond to the lines A and B of FIG.
12(b). The upper ends C, D of the pattern are taken to a
continuation of this same pattern, which continues all the way
round the spiral. Thus the spiral consists of the same interleaved
pattern throughout. At an inner end-section 126 of the spiral the
interleaved pattern comes to an end, as shown in FIG. 12(c). The
ends C' and D' of FIG. 12(c) are connected to ends C and D through
this continuation of the pattern all the way round the spiral. Ends
E and F of the FIG. 12(c) pattern correspond to lines E and F of
FIG. 12(a). Finally, Line A is connected to pad 120, line F is
connected to pad 122 and line B is connected to line E.
[0073] With the arrangement just described, any short-circuit
between the layers will halve the effective electrical length of
the spiral pattern and be detectable using only two connection
pads, as shown.
[0074] Both the single-layer spiral pattern and the two-layer
spiral pattern have the drawback that they contain spaces between
the track sections, which an attacker could exploit in order to
gain access to the cryptographic key of the chip. With the
single-layer case, a solution analogous to that shown in FIG. 9
could be implemented, in which the spiral structure is disposed in
a second layer such as to fill in the gaps in the spiral structure
of the first layer. As regards the two-layer structure illustrated
in FIGS. 12(b) and 12(c), the gaps in this structure could be
filled by providing two further layers and a similar pattern
structure in those two layers, but in which the pattern in the
second two layers was displaced relative to that in the first two
layers. A suitable displacement would be for point G in the pattern
in the second two layers to be placed opposite the point G' in the
first two layers (see FIG. 12(b)). Thus the pattern in the second
two layers is displaced by one track thickness in the two
directions x and y.
[0075] Although it has been assumed that the organic protection
layer will be applied to the chip surface as a grid pattern by an
inkjet technique, it may be applied by other means--for example,
screen printing, micro-contact printing or, in the case of
Pentacene, vacuum deposition. The screen printing technique is
described in, e.g. "Screen-printed passive matrix displays based on
light-emitting polymers", J. Birnstock et al, Applied Physics
Letters, volume 78 number 24, 2001, pages 3905-3907, while
micro-contact printing is described in J. Tate, et. al.,
"Anodization and Microcontact Printing on Electroless Silver:
Solution-Based Fabrication Procedures for Low-Voltage Electronic
Systems with Organic Active Components", Langmuir, volume 16,
number 14, 2000, pages 6054-6060. Furthermore, it may take the form
of a continuous layer over the relevant parts of the chip surface,
rather than a grid. In this case, an attack which damages part of
this continuous layer will still affect the properties of the
layer, so that the key may be protected. However, in comparison
with a grid the sensitivity of such a layer may be less than ideal.
In practice, therefore, some form of grid pattern is to be
preferred.
[0076] While the electrical characteristics of the protection layer
have, as so far described, been determined based on an RC time
constant or the I-V transfer function, an alternative is to derive
the layer's characteristics on the basis of the metal-organic
interface properties. The electrical contact properties are
determined by the microstructure (deposition conditions) of the
organic material. For a combination of materials, a Schottky
barrier is formed between the metal and organic material. This
results in diode-like contact properties, with the height of the
Schottky barrier varying with the materials being combined. The
electrical properties (contact resistance, contact noise) of
contacts between dissimilar materials are usually very sensitive to
fabrication conditions and contamination, hence they are a
promising candidate for both tamper sensing and providing
individual characteristics for each chip. It was shown, for example
by Lim et al. (Jung Ah Lim et. al., "Solvent effect of inkjet
printed source/drain electrodes on electrical properties of polymer
thin-film transistors," Applied Physics Letters, volume 88 No. 8,
2006), that an addition of DMSO (Di-methyl-sulf-oxide) to a
PEDOT/PSS solution reduces the contact resistance/Schottky
barrier.
[0077] The smart-card chip arrangement described in this
specification has a number of advantages with respect to the
conventional arrangements employing metal protection grids.
Firstly, use of an organic protection layer allows a large number
of suitable grid structures to be employed, even within the same
production batch, which can help to protect against spoofing.
Secondly, because this layer is disposed on top of the outer layer
of the chip, it is more exposed to tampering and hence, if it is
tampered with, this can lead to shut-down of the card's services
before the cryptographic key has been accessed. Thirdly, compared
with a method such as Kommerling's, as described in the afore-cited
patent, no sensor structure is required on the chip. This
simplifies fabrication and minimizes added complexity.
[0078] Possible applications for the smart-card chip arrangement
according to the present invention are, as already mentioned, smart
cards for authorizing bank transactions, but also copy-protection
devices, game cartridges, inkjet or laser printer cartridges, RFID
tags, pay-TV decoder cards, phone cards, etc. All of these
applications, and others not specifically mentioned here, are
intended to come under the term "smart-card chip arrangement" used
in this specification.
* * * * *