FR2727226A1 - ACTIVE SECURITY DEVICE WITH ELECTRONIC MEMORY - Google Patents

Abstract

The present invention relates to a security device containing secret information, of the type comprising a memory area of an integrated circuit receiving said information and protection means integrally covering at least the memory area. The protection means consist of at least one second integrated circuit (2). The device further comprises interactive connection means (9, 9 ′) between the two integrated circuits, and means for destroying secret information in the event of the connection being broken or disturbed.

Description

DH SECURITY ACTIVE DEVICE AT NIXOIRI ILECTRONIQUZ
The present invention relates to a security device with electronic memory intended for the protection of secret information contained in the memory.

 Such devices are present in particular in portable payment terminals, inside an electronic module known as application security (SAM). These modules are of capital importance because they contain secret information (example: bank keys) whose discovery would allow access to an entire system.

 The information is necessarily found in an electronic layer of an integrated circuit. A passivation layer generally covers the electronic layer.

 In some cases, it may not be a sufficient obstacle to access to secret information, if sophisticated reading means are used to read the information through the passivation layer. These reading means can, for example, use exploratory techniques of the particle beam type.

 Among the existing techniques intended to protect this information, there is known that which consists in using traditional intrusion sensors which protect an enclosure in which the electronic memory containing the information is enclosed.

Means are also known which directly protect the integrated circuit against reading using sophisticated means. These means are of two types: the first consists in masking the design of the semiconductor, for example by metallization, grid of false circuits or layer of diamond carbon; the second consists in memorizing the information in a memory of the RAM type and in possibly combining it with random numbers permanently modified. Information is only accessible through an operating system that controls access to it. The principles used are identical to those of microprocessor cards. According to this second type, the secrets contained in a RAM memory are systematically lost if the power supply to the component is interrupted. In this case, access to information is not completely insurmountable if we know - how to eliminate the resin component housing
energized without creating a short circuit which
would result in the loss of information, - the exact diagram of the component, - the memory "jamming" table, - the address of secrets in the memory map, - and the way to record and analyze correctly
the address and data bus in real time.

 The various prior techniques above have the drawback of being either ineffective if very sophisticated means are used, or of being expensive in the case in particular of the use of diamond carbon masks.

 The object of the present invention is to provide an electronic security device whose efficiency is improved and whose production is also compatible with standardized manufacturing methods.

 To this end, the subject of the present invention is a security device containing secret information and intended to prevent access to this information by external exploration means, of the type comprising a memory area of an integrated circuit receiving said information. and protection means integrally covering at least said memory area so as to form an obstacle to exploration, characterized in that said protection means are constituted by at least one second integrated circuit, and in that it further comprises means for interactive link between the two integrated circuits, and means for destroying secret information in the event of their link being broken or disturbed.

 According to a characteristic of the invention, the device comprises authentication means making it possible to authenticate at least the second integrated circuit.

 According to a first embodiment of the invention, the integrated circuits are mounted one behind the other and include external electrical connections connecting them to each other.

 According to a second embodiment of the invention, the integrated circuits are mounted face to face and have internal electrical connections connecting them to each other.

Other characteristics and advantages of the present invention will emerge from the description which follows, of an embodiment of the invention made with reference to the appended drawings in which - FIG. 1 represents a section of the structure of
the invention according to a first embodiment, - Figure 2 shows a section of the structure of
the invention according to a second embodiment, - Figure 3 shows the invention with modes of
specific interactive links.

 In FIG. 1, it can be seen that the security device consists of two electronic circuits arranged one above the other, a first circuit to be protected, called the master, under a second protective circuit 2 called the slave. It is in this case two integrated circuits 1, 2 fixed integrally to each other and connected together by connecting means. These connection means must allow interaction between the master and slave circuits: an exchange or circulation of flows or signals of any kind (magnetic, electrical, optical, capacitive, etc.). They may relate to a simple electrical contact. Preferably, the interaction is a function of the distance separating the integrated circuits so that the slightest relative displacement of the two circuits breaks or disturbs it.

 In the absence of these preferential connecting means or in a complementary manner, the linking means of the invention allow communication between the two circuits, then considered as transmitters and / or receivers.

 Each integrated circuit consists of a substrate 3, 3 'of an electronic layer 4, 4' on the substrate and a passivation layer 5, 5 'covering the electronic layer. The substrate is a semiconductor generally made of Silicon or Gallium Arsenide. This layer is between 100 and 300 micrometers thick. The electronic layer contains functionalities as well as a memory area 6, 6 ′ intended to contain the secret information. This layer measures ten micrometers thick. The passivation layer placed above the electronic layer is made of an inert material, for example silicon nitride. This layer measures a few tens of micrometers thick.

 The second integrated circuit has a structure generally equivalent to that of the first circuit with the exception of its dimensions; the electronic layer may include a memory area which may also contain part of the secret information. The second integrated circuit is arranged above the first in such a way that it covers at least the memory area containing the secret information. It can also mask sensitive circuits such as the processor, the bus and the memories and any element of circuit likely to give information on the secrets.

 The two integrated circuits are connected integrally, for example by a layer of cyanoacrylate adhesive 7 disposed between the passivation layer of the first integrated circuit and the substrate of the second integrated circuit.

The glue can be chosen so that any attempt to separate the two integrated circuits causes either the tearing of the passivation layer or the tearing of the substrate.

 It is also possible to use several bonding zones, each with a different type of glue, or a combination of glues or other joining technique.

 The first integrated circuit has a larger dimension than the second to allow access to its power supply and to connections. Connection means connect the two integrated circuits from the outside; for this purpose, connection points 8 open onto the respective free surfaces 10, 10 ′ of each integrated circuit. These connection points are connected by wiring wires 9 in gold or aluminum which pass outside the integrated circuits. The electronic assembly is constantly kept energized by an external backup battery (not shown). The master component comprises points of connection with the environment, for example, with the constituent elements of the SAM. Conventionally, the wiring wires can be embedded in a coating material such as resin.

 The memory of the first integrated circuit, or even of the second, can be of the RAM type.

 According to an improved aspect of the invention, the security device can further comprise authentication means making it possible to authenticate at least the second electronic circuit. Authentication can be performed at any time, periodically or randomly. The periodicity must be less than the time necessary to carry out a possible substitution of the second circuit by another simulation circuit. These means are preferably included in one and the other integrated circuits. They cooperate together so as to ensure at least the authentication of the second integrated circuit. Thus, authentication can be either unilateral or mutual in nature. The operation of the authentication procedure between the two integrated circuits can be based on a traditional principle of exchanging cryptographic or electronic signals.

 According to a more perfected aspect of the device, the authentication means can operate according to a procedure implementing a dynamic session secret key known per se. The means to be implemented are described by the American standard ANSI 9.24.

 The security device comprises means for destroying secret information in the absence of authentication as well as in the event of disconnection or destruction of one of the electronic circuits. These means are at least part of the first integrated circuit and are known per se. They are, for example, means for general zeroing of the memory.

 In Figure 2, we see that the safety device according to the invention is in a different form. It is also composed of two integrated circuits, the structure of each of which is broadly identical to that of the integrated circuits of the previous embodiment. The same reference numbers are therefore used to designate the same elements. The essential difference lies in the fact that the two integrated circuits are mounted face to face.

 According to this arrangement, these two integrated circuits are mechanically integral with one another by means of their passivation layer. The assembly is done in such a way that their connection points are facing each other. The two integrated circuits can be connected as before by a layer of glue based on cyanoacrylate.

 The electrical contact between the two circuits can be made through a conductive adhesive, for example silver-based adhesive. According to one embodiment of the connections, these are made by a welding technique, for example and conventionally with indium balls.

 The same conductive adhesive can be used not only to ensure contact but also to ensure the joining of the two integrated circuits. Thus, the use of solvent for dissolving the glue in order to separate the components also causes the electrical connection to break.

 Advantageously, it is possible first to supply the slave component from the outside and then have the supply pass through internal electrical connections between the two components to supply the master component or vice versa.

 Thus in the event of separation, the power to the master component is cut off and the information is lost if it is in a RAM memory (volatile memory not backed up).

 We realize that this arrangement is particularly interesting insofar as the connections between the two integrated circuits are internal, which represents an additional barrier to the severity of the security device.

 Provision may be made to distribute the secret information in the two master and slave components. They can have the same importance and be masters and slaves in turn.

 The protection principle can be applied to several integrated circuits beyond two. These can be stacked on top of each other.

 There may also be a master component comprising n surfaces to be protected, each surface being covered by a slave component.

 It is also possible to have, in the same electronic layer, several master electronic circuits each containing a part of the secret information, each protected by a slave component.

 It is understood that the device can be produced from two integrated circuits according to a standardized manufacturing technique called "Multi-Chip-ModuleW (MCM). This device therefore has the advantage of being economical.

 In Figure 3, we see that the two components are mounted face to face as in Figure 2. The same reference numbers are used for the same elements. The connection means are however different in nature from the electrical connections.

 The connection elements each represent an electromagnetic coil engraved on the semiconductor of each component. These coils are placed face to face with an electromagnetic coupling, preferably tight. By these means, a magnetic interaction is ensured between the two components.

 Advantageously, the interaction can be used to convey communication information between the two components, for example for the purpose of authentication according to the procedure described above. It can also allow a supply of a component through the other.

 Preferably, communication for data transmission and a power supply are carried out at the same time using the same coils. The means to be used, known per se, are described in the ISO standard (IEC 10536 part 3). They involve two phase shifted signals for the activation of the coils.

 It is found that the use of a very tight electromagnetic coupling practically does not support relative displacement of one component with respect to the other.

Indeed, the slightest movement would cause a disturbance or a cut in the interaction of the transmitter and receiver coils. Similarly, any attempt to introduce a bypass element between the connections would cause a detectable disturbance or a breakdown in the interaction.

 The interruption of the power supply of a component containing the information in a RAM memory leads to the loss of information while the disturbance can lead to a total or partial modification of the communication signal and the loss of the integrity of a message between the two components.

 One of the means for detecting the loss of the integrity of a message is to use error correction codes or conventional error detection codes such as Hamming code or CRC 16 (polynomial code).

 If an error is detected, the destruction means are activated to eliminate the secret information. If a RAM memory is used, the destruction means may consist of means for cutting off the supply of the component; for example a transistor connected in series with the power supply bus of the memory.

 The components may include other connecting means instead of the electromagnetic coils. The elements 13, 13 ′, 14, 14 ′ can represent capacitors or optical diodes for effecting a capacitive or opto-electronic interaction respectively.

 In the case of opto-electronic coupling, a transparent window is arranged between the elements 13, 13 'and 14, 14' either with the absence of material or with a transparent material (not shown).

 The means to be used for the exploitation and processing of such signals are conventional. The authentication means and information destruction means can be identical to the means described in FIGS. 1 and 2.

 The supply of the first integrated circuit can also be carried out by capacitive coupling.

 Two different types of connections can be used for power supply and for data transmission, for example electromagnetic for one, capacitive for the other.

 The operation of the safety device of FIG. 1 is carried out as indicated below.

 The device being powered, for example, by an external backup battery, a periodic communication is established between the two components for example to carry out a mutual authentication procedure defined in particular by the ISO / IEC 9594-8 standard. If one of the two components breaks the communication and / or does not authenticate correctly, the secret information is deleted in the component which does not authenticate the other component. Optionally, to avoid any simulation of the components present, the secret authentication key is a dynamic session key created at the initialization of the active security module.

 To reach the secrets contained in the first integrated circuit, it is necessary to remove the integrated circuit above it beforehand without it being destroyed or modified. Given the way in which the two integrated circuits are joined, for example, by means of a cyanoacrylate adhesive, it is practically impossible or extremely dangerous to attempt a separation of the second circuit without destroying it.

 In the event that there is a means to separate the second integrated circuit from the first circuit without destroying or deactivating it, we could then have recourse to the embodiment of the safety device according to its second embodiment (fig. 2 or fig. 3).

 The operation of the device in FIGS. 1 and 2 is carried out as indicated below.

 If the electrical connections are made internally by simple contact, bonding or soldering by using indium balls, it becomes impossible to decouple the two integrated circuits without breaking the contact.

 If the connections are made electromagnetically, capacitively, optically, the simple relative movement of one component with respect to the other causes a disturbance in the interaction which is treated as a connection break.

 If the connections are used to supply power to the integrated circuits, the breaking of the latter causes the erasure of the information which would be contained in a volatile memory RAM.

 Any attempt at decoupling is made all the more difficult as the connections are close to the middle of the safety device, that is to say, close to the middle of the respective contact surfaces of the master and slave components.

 The operation of the authentication means of the security device according to the second embodiment is identical to that of the first mode.

 If electrical connections are used to ensure communication according to an authentication procedure, the rupture causes an absence of authentication in the imposed period and the means of destruction of the information are activated, for example to put the memory at the same level.

In the preferred case where a memory is used
RAM, to contain the secret information, the destruction means are means for cutting off the supply of the component
In all cases, according to this second embodiment, the relative displacement of the circuits with respect to each other is penalized by the loss of the secret information.

Claims (17)

1. Security device containing information  secret and intended to prevent access to these  information by external means of exploration,  type comprising an integrated circuit having a zone  memory receiving said information and means of  protection covering jointly at least the said  memory area so as to form an obstacle to a  exploration characterized in that said means of  protections are constituted by at least a second  integrated circuit (2), and in that it further comprises  interactive connecting means (9, 9 ') between the  two integrated circuits, and means of destruction  secret information in the event of a breach or  disruption of their bond. 2. Device according to claim 1, characterized in that  that it includes authentication means allowing  to authenticate at least the second integrated circuit. 3. Safety device according to claim 2,  characterized in that the authentication means  operate according to a procedure implementing a  dynamic session secret key. 4. Safety device according to one of claims 1  to 3, characterized in that the integrated circuits are  mounted one behind the other and have  external electrical connections (9) connecting them to one &  the other. 5. Safety device according to one of claims 1  to 3, characterized in that the integrated circuits are  mounted face to face and have connections  electric (9 ') internal connecting them to each other. 6. Safety device according to claim 5,  characterized in that integrated circuits have their  electrical connection points (8, 8 ') arranged opposite  face. 7. Safety device according to claim 6,  characterized in that the connection of the circuits  integrated is carried out by welding. 8. Safety device according to claim 6,  characterized in that the connection is made by  using a conductive adhesive. 9. Safety device according to one of claims 1  to 3, characterized in that the integrated circuits are  mounted face to face and have connections  electromagnetic or internal capacitive. 10. Safety device according to claim 9,  characterized in that the same connections ensure  the supply of the first integrated circuit and the  data transmission. 11. Safety device according to claims 5 to 10,  characterized in that the connection points of the  integrated circuits are located in a central area of  their respective contact face. 12. Safety device according to any one of  previous claims, characterized in that the  integrated circuits are fixed to each other by  through a layer of glue (7). 13. Safety device according to claims 8 and  12, characterized in that the fixing of the circuits  integrated as well as the electrical connection is ensured  with a conductive adhesive. 14. Safety device according to any one of  previous claims, characterized in that the  second integrated circuit also has a zone  memory (6 ') and in that the electronic circuits  have means of mutual authentication. 15. Safety device according to any one of  previous claims, characterized in that one  integrated circuits at least has a RAM memory  in which there is secret information. 16. Safety device according to any one of  previous claims, characterized in that the  integrated circuits overlap their  circuit elements (6, 6 ') capable of giving a  information about secrets. 17. Safety device according to claim 5,  characterized in that the feeding of the first or  second integrated circuit is carried out through  internal electrical connections (9 ').