With the trend toward greater global competition, companies are increasingly setting up manufacturing facilities in countries with historically weak legal protections for intellectual property (IP). Thus, there’s a growing demand among system designers for enhanced physical-layer security to protect sensitive information stored in silicon.
Even the most sophisticated lock in the world offers no protection if its key is easy to find. This principle applies equally to electronic encryption schemes. With this realization, hardware security has become one of the new primary requirements for many, if not most, consumer system-on-a-chip (SoC) architectures. There are many approaches for implementing on-chip security, using various memory technologies. The main challenge, then, is determining the best approach for your application.
To protect sensitive data, encryption is typically used to scramble the information. Many forms of encryption exist, all of which employ passwords and/or encryption keys. These “keys” are then used to scramble the sensitive information on the encryption side and to recover the information on the decryption side.
In ages past, keys to lock-boxes that protected valuables were well hidden in inconspicuous places in a residence or on a person’s body. In our current electronic age, these keys hide in some form of nonvolatile memory (NVM).
These electronic hiding places have historically been devices such as battery-backed SRAM, EPROM, EEPROM, flash, harddisk drives (HDDs), or possibly masked ROM. While solid-state NVM devices increase physical-layer security more than hiding places such as disk drives, they’re still inherently simple for a hardware hacker to reverse-engineer. That’s why flash memory vendors are adding physically secure one-time programmable (OTP) memory technologies to their devices. To protect the integrity of any security system, the keys for that system must be protected in the physical layer—the permanent memory where the keys are, in effect, “hidden.”
Figure 1 shows the three common categories of embedded standard logic CMOS NVM technologies, along with the common methods an attacker might use to identify stored digital information. The most physically secure memories in silicon are the floating- gate and antifuse logic NVM technologies. Of these two, the CMOS antifuse class of NVM IP offers the most comprehensive physical-layer security in the market today. Because of that, security applications within industry standards such as high-definition media interface (HDMI) and digital rights management (DRM) commonly use this technology to store encryption keys.
A designer needs to ask two critical questions when it comes to the protection of sensitive keys used in most, if not all, security schemes. First, how physically secure is the underlying memory technology? Next, is the sensitive encryption key information protected all throughout the manufacturing process?
This stage is particularly critical when items like IP and encryption keys are so vulnerable to theft, which can cost your company millions of dollars. For example, the organization licensing Dynamic Host Configuration Protocol (DHCP) encryption keys fines a company up to $8 million for each compromised encryption key. These two hardware security imperatives are important, because encryption is only as robust as the ability for any encryption-based system to keep the encryption key hidden.
One solution to this security challenge leverages a new embedded permanent memory technology based on a standard logic CMOS antifuse process. The technology provides unprecedented physicallayer security for data-storage applications that use data encryption and authentication, which require unique encryption keys and/or IDs for each hardware device.
For instance, Kilopass developed an embeddable antifuse in conjunction with Certicom Corp. Combined with a robust key distribution, tracking, and management system tailored for the global semiconductor manufacturing supply chain, this OTP memory technology provides end-to-end security for sensitive encryption keys and IDs from the system solution provider through to the end customer.
As digital media formats like those for DVDs and digital music distribution become more popular, the protection of IP and confidential data (CD), including encryption keys and sensitive customer data, has become a hot topic. Different industries have different security requirements and protect their IP and CD in different ways.
When DVDs were initially developed, the industry adopted the Content Scramble System (CSS) to encrypt the data. However, it wasn’t long before the system was compromised. (For a brief look at this landmark case, see “An Example Of Broken Security.”)
Continue on Page 2
While the movie industry uses CSS to encrypt DVD movies, cell phones may employ 128-bit encryption over wireless channels and passwords for theft deterrence. Computers and PDAs may turn to password-based methods to restrict access only to those authorized by the owner. Similarly, online banking and other Webenabled services must protect their customers from attackers and properly identify each customer and authorize customers per their correct accounts.
Identity theft is on the rise due to the use of Social Security numbers as a form of ID and the prevalence of password theft via spyware. Other vulnerable forms of IP include digital game producers’ software as well as computer software. Losses to the video game and computer software industries are potentially as damaging as to the movie industry if their respective antitheft software security is broken.
Any physical device that provides secured access or secures the use of licensed or protected media, or of a licensed or protected application (whether distributed as software or as a Web-enabled application), benefits significantly from hardware security. Software is distributed and controlled by a vendor for general-purpose hardware, so when the software security is attacked and broken, it’s broken for all of the general- purpose hardware.
New hardware security methods are being used to establish a layer of security that’s unique for each device. Therefore, if security is broken for one hardware device, only that individual hardware device is affected without affecting the general hardware population and the integrity of the overall security system.
Industry standards typically last quite a bit longer than a product life cycle. So in cases where security is specified within an industry standard, the integrity of that security scheme will ideally survive as long as the industry standard it supports. Depending on the criticality of the embedded security scheme, the costs of a broken security scheme will often result in the breaking down of the standard that it supports.
Historically, most sensitive key information, such as HDCP, DRM, and WiMAX encryption keys, were stored in either an electric fuse or in an off-chip EPROM or flash device. Now realizing that entire standards may be vulnerable to broken security schemes, system architects are beginning to ask for more hardened physical-layer security.
Designers who are new to security should ask why keys are so important to the integrity of a security system. As part of the explanation, Scott Crosby at Carnegie Mellon University wrote an academic article that stresses the importance of keeping encryption keys hidden in silicon.1 This is due to the vulnerability of a cryptography system if a relatively small subset of that system’s keys are identified or exposed.
These security factors lead to two hardware security imperatives. First, encryption keys need to include physical-layer security intrinsic to the nonvolatile memory technology used to store them. Second, encryption keys need to be secure from the point of origination (Central Authority or Licensor of the key) through to the internals of the target device (Fig. 2).
As indicated in the second hardware security imperative, protecting sensitive keys during the manufacturing process prior to programming them into a physically secure NVM technology requires encryption of key information. Only the target device has the integrated decryption logic or algorithms that are required to unlock a key. In this way, keys are protected throughout the semiconductor manufacturing supply chain whether they are programmed at wafer sort, in-package at test, or by an original equipment manufacturer (OEM) at the board level.
Since hardware is physical by nature, hiding keys or other valuable or sensitive information in it has been a significant challenge. That’s because different forms of visual or electrical inspection can often extract the keys or secured data.
If the owner of the hardware is trusted, then it may be left to the owner to maintain security for the hardware system or device. With the nature of consumer hardware products, it’s difficult to ensure possession of each hardware device or system by a trusted person.
Traditional hardware attacks can be grouped into three basic categories: passive, semi-invasive, and invasive. Passive attacks include glitching, power analysis, and data permanence, while semi-invasive attacks use UV light, microscopy, fault injection, voltage contrast, and magnetic scan. The most invasive attack approaches include chip modification, micro-probing, and reverse engineering, as well as rearside measurements.
Continue on Page 3
While designing for system-level security may protect against many of these various forms of attack, attacks at the device level are more difficult to defend. De-processing of the device (removing layers of metal and oxide), microscopy, and side-channel attacks (such as power analysis) are prominent methods. Hackers with a higher degree of sophistication may resort to voltage contrast and magnetic scan, leaving invasive forms of attack for those with the highest levels of sophistication and those with the largest budgets.
Embedded OTP memory cells, such as those used in Kilopass’ patented CMOS Logic Antifuse or eXtra Permanent Memory (XPM) bit cell, can provide a high level of security. As indicated in Figure 3, which contains programmed and un-programmed cells adjacent to each other, there’s no visible physical or electrical indication as to which cell is or isn’t programmed. This is true whether the chip is cross-sectioned, viewed from the top, or observed using a focused ion-beam voltage-contrast imaging scheme.
This lack of any noticeable difference is due to the inherently small size of physical changes that occur to the CMOS transistor’s gate oxide when programmed from its original “0” state to a programmed “1” state. Since the oxide breakdown (antifuse) occurs in a random location within a bounded region and is extremely small, the state of the bit cell stays well hidden in the CMOS antifuse’s silicon atoms. Likewise, no charge is stored as with flash, EPROM, or EEPROM technologies, so there’s no charge to externally detect as a “1” state.
Most security experts prefer OTP memory technologies for the simple fact that state changes or programming “0”s to “1”s are destructive, as is the case with XPM. This may be used at the system level to prohibit tampering, as well as to protect against side-channel attacks and glitching.
This level of physical-layer security at the NVM device level is unique to antifusebased technologies such as XPM technology and antifuse solutions from other vendors. Since XPM cells are embeddable in an ASIC or ASSP, they can be fabricated on standard CMOS logic processes at 90, 65, and 45 nm. As a result, there are no additional process steps, keeping manufacturing costs low.
SECURING THE MANUFACTURING
In spite of an NVM technology that provides security at the physical layer, if sensitive keys are exposed during the exchange of key information in the fabless semiconductor company’s supply chain, the security scheme may be compromised or broken (Fig. 4). This becomes more critical with technology industries that outsource design and manufacturing to countries where legal IP protections are weak, driving the need for system-level protections in the final microelectronic product.
As stated previously, in the case of DVI and HDCP keys, the licensor may charge a penalty of up to $8 million per exposed key. Other security key licensors are following suit to help protect the integrity of their overall security schemes for the duration of the industry standard they are protecting. This legally imposed penalty is deemed necessary to protect that system from the exposure of keys that, as suggested above, would likely result in compromising the storage solution’s security.
For example, if a fabless semiconductor company uses a back-end test house in another country with poor legal protections for the final programming of encryption key information into the target chip, that key information may easily be exposed to corruption (Fig. 4, again). In this case, any legal recourse and damage recovery may be difficult at best.
To protect against such a case, the fabless company may decide to encrypt the sensitive key information prior to transmitting keys to the test house for programming. An embedded decryption module inside the target device would then unlock the key for programming internal to that device.
The combination of manufacturing security for sensitive data and physicallayer security defends against key and ID exposure, as well as any liabilities assumed through the licensing of industry-standard keys. Security keys are encrypted by the manufacturing key management solution and communicated through secure server technology within the manufacturer’s supply chain. The hardware security embedded in the microchip decrypts the sensitive information. All of the keys are tracked and managed for auditing by the manufacturer or Certificate Authority as needed.
To summarize, hardware security is rapidly becoming the norm when enhancing system-level security and extending the life of a security scheme for the duration of the life of the standard that it protects. This is evident with the prevalence of smart cards in countries around the world, as well as unique device key/ID requirements in standards like HDMI, Blu-ray, and WiMAX.
The same principles apply to security schemes that protect storage solutions. A technology-based security solution with physicallayer security is needed to ensure the survivability of these important electronic standards in the face of increasingly sophisticated attacks in a modern global society.
1. Scott Crosby, Ian Goldberg, Robert Johnson, Dawn Song, and David Wagner, “A Cryptanalysis of the High-Bandwidth Digital Content Protection System,” Carnegie Mellon University, Zero Knowledge Systems, and University of California at Berkeley