Attacks at the physical level
Manipulations at the semiconductor level require a large amount of technical effort. Depending on the attack scenario, the equipment required may include a microscope, a laser cutter, micromanipulators, focused ion beams, chemical etching equipment and very fast computers for analyzing, logging and evaluating the electrical processes in the chip. This equipment and the knowledge of how to use it are available to only a few specialists and organizations, which strongly reduces the probability of an attack at the physical level. Nevertheless, a card or semiconductor manufacturer must assume that a potential attacker could employ the devices and equipment necessary for such an attack, which means that suitable protection must be built into the hardware. In order to conduct an attack at the physical level, a few preliminary steps are necessary. The first thing that has to be done is to remove the module from the card, which can easily be done using a sharp knife. After this, the epoxy resin must be removed from the chip. Anderson and Kuhne [Anderson 96b] used fuming nitric acid for this with an infrared lamp as a heat source, followed by an acetone rinse to clean the chip. After this, the semiconductor chip is free and still fully operational. Many people think that the chip now lies unprotected before them and only has to be ‘read out’, but this is by no means so. An attacker still has to work through a manifold of security measures before he can gain access to the secrets. The protective measures in the hardware can be divided into passive and active components. The passive components are based directly on the techniques used in semiconductor manufacturing. They include all processes and options that can be used to protect the memory region and the other functional parts of the microcontroller against various types of analysis. There is a full spectrum of active components available on a silicon chip to complement the passive possibilities offered by the semiconductor technology. Active protection means the integration of various types of sensors into the silicon crystal. These sensors are queried and evaluated by the smart card software as needed. This is naturally only possible when the chip is fully powered and operational. A chip without electrical power cannot measure any sensor signals, let alone evaluate them. Sometimes the boundary between useful protective components and technical gadgetry is particularly narrow where sensors are concerned. A light-sensitive sensor that is supposed to prevent optical analysis of the memory will not respond if the chip is located on the object carrier of an optical microscope without power or a clock signal. In addition, it is very easy to visually identify such a sensor on the chip surface and cover it with a drop of black ink, so its protective function can easily be neutralized even when the chip is operating. However, this can be countered by distributing a large number of light sensors over the entire chip. Long-term functional security is also an important consideration. For example, a temperature sensor that causes the smart card software to erase the entire EEPROMin response to a brief but non-damaging overheating of the chip makes absolutely no contribution to increased functional security or security against an attack. Consequently, most smart card microcontrollers employ only a few sensors. In the following descriptions, we explain the protective mechanisms of smart card microcontrollers that are the most important and the most often used in practice.

Static analysis of smart card microcontrollers
Protection: semiconductor technology
The dimensions of structures on the chip (track widths, transistor sizes and so on) approach the limit of what is currently technically possible. The usual structural widths lie in the range of 0.35 μm to 0.13 μm, which in itself is no longer technically remarkable. However, the transistor density on the silicon belongs to the highest level that can currently be achieved using standard lithographic fabrication processes. These very fine structures alone make it nearly impossible to extract any information from the chip using analytic procedures, for which reason semiconductor technologies with structure sizes of around of 1 μm are currently considered to be secure. This dimension is sure to be reduced in the future.

Protection: chip design
‘Standard cells’ are frequently used in designing semiconductor integrated circuits. They can contain the core elements of a processor or a particular type of memory. The advantage of using standard cells is that it allows a semiconductor manufacturer to quickly produce a variety of different types of chips with a high level of quality. This technique, which has been developed for mass-produced components where security is not an issue, is not allowed to be used for smart card microcontrollers. This is because the designs and functions of standard cells are known, and their use would thus provide a potential attacker with too much information and thus considerably simplify his task. The functional elements of smart card microcontrollers are developed especially for this application and are not used for any other purpose.

Protection: dummy structures
Using dummy structures on the chip is a measure that is the subject of frequently controversial discussions among experts. Dummy structures are elements of the semiconductor that do not have any actual function, but instead are intended to confuse and mislead an attacker. The associated security is based purely on keeping the existence and locations of such structures secret. Dummy structures can also be monitored, so that any changes to them can be detected and can cause the chip to switch off. The main disadvantage of dummy structures is the additional room that they occupy on the chip.

Protection: chip busses
All internal busses of the chip, which connect the processor to the three different types of memory (ROM, EEPROM and RAM), are not brought out from the chip. This means that it is not possible to directly make connections to these busses. It is thus not possible for an attacker to tap into the address, data or control bus of the microcontroller or influence the bus signals in order to read out the memory contents. The busses are usually fabricated in the lower layers of the semiconductor device in order to make it difficult to make direct contact with them from the surface. In addition, the busses on the chip are scrambled in a static, chip-specific or session-specific manner, so the functions of the individual bus lines cannot be recognized from the outside. There are even smart card microcontrollers whose bus scrambling is continuously modified during a session.

Protection: memory design
The storage medium used for most programs is the ROM. The contents of the type of ROM commonly used in the industry can be read bit by bit using an optical microscope. It would not be particularly difficult to assemble these bits into bytes and then arrange these bytes to obtain the complete ROM code. In order to prevent exactly this type of analysis, the ROM is not located in the top level of the chip, which is the most easily accessible layer. It is instead located in the lower layers of the silicon. This impedes an optical analysis. However, if the chip were to be glued to a carrier upside down and the rear surface were then ground off, it would be possible to read the contents of the ROM. For this reason, only ionimplantedROMis used in smart card microcontrollers, since the contents of such aROMcannot be seen using either visible or ultraviolet light. This also largely protects against ‘selective etching’, which is a process that can be used to attempt to etch the semiconductor in order to make the contents of the ROM visible.

Protection: protective layers (shields)
Analyzing the electrical potentials on the surface of the chip while it is operating represents a threat.With a suitably high scanning resolution, this technique can be used to measure charge potentials (voltages) on very small regions of the crystal. With this information, it is possible to draw conclusions about the contents of the RAM while the chip is operating. This analysis can be very effectively prevented by placing current-carrying metalization layers on top of the memory region or the entire chip. If these metalization layers are removed by chemical etching, the chip will no longer operate properly, since they are needed to distribute the electrical power the chip needs in order to function. Frequently, several protective layers are arranged on top of each other and continuously monitored for integrity. In addition, the chip can be fabricated with meandering current-carrying structures on top of the entire chip or on top of a region that needs special protection, such as an underfrequency detector. These structures can be easily monitored using resistance or capacitance measurements, or they can be incorporated into the circuitry of the chip such that it immediately stops working if they are damaged. Security can be further increased by modifying the connections or interconnections of these meandering structures during a session. This provides protection against using a focused ion beam (FIB) tool to bridge the meanders. It is also conceivable to use opaque protective layers whose integrity is continuously monitored by phototransistors, which are easily implemented in semiconductor devices. If such a layer were removed, this would immediately be detected and the chip could refuse to operate any further.

Attack and defense: reading out the volatile memory
As is well known, a RAM loses its data contents when its power supply is cut off. However, this does not occur if the memory cells are cooled to a temperature of –60˚ C. Also, the content of the RAM is not necessarily lost if the stored data remain unchanged for a long time. The background of this effect is described in a paper by Peter Gutmann on the subject of securely erasing memory media [Gutmann 96]. Consequently, secret keys are not held in RAM any longer than is absolutely necessary, following which they are immediately erased or overwritten with other values. This minimizes the risk that traces of secret keys may be left in the RAM cells and weakens attacks based on fixing the RAM contents by freezing or burning. Reading out RAM cells is very difficult, since it requires detecting the switching states of the transistors involved. However, it is certainly possible to extract stored data from RAM cells using sophisticated electron microscopes and special contrast-enhancement methods. A prerequisite for this is removing the passivation layer and the metalization layers underneath the passivation layer, which protect the RAM against exactly this type of attack. Removing the metalization layers unavoidably causes the RAM cells to be destroyed, since part of their functionality is incorporated in these layers.

Protection: memory scrambling
Scrambling the memory on the microcontroller chip, which is similar to the well-established practice of scrambling the busses, is being used increasingly often. The security of this technique is based on the secrecy of the scrambling scheme for the memory cells. Memory scrambling is easily implemented and does not require much additional space on the chip. Without the relevant scrambling information, it is extremely difficult for an attacker to discover how the memory cells are actually addressed. The EEPROM can also be scrambled using software. However, this requires complicated programming, and all write accesses must be protected by making them atomic operations, since otherwise the system would be very vulnerable to the sudden removal of the supply voltage. Software memory scrambling does, however, have the advantage that it can be made chip-specific and even dynamic, so that the memory contents can be redistributed within the memory in the course of a session.

Protection: memory encryption
Besides scrambling the data in the memory, modern smart card microcontrollers also provide batch- or chip-specific encryption of the memory and some of the processor registers. This involves decrypting or encrypting the corresponding data in real time when they are read or written. Besides the key, with some types of chips the memory address can also be incorporated in the encryption and decryption process, so that identical data in different memory locations have different values after having been encrypted. Particularly for RAM regions, sessionspecific keys can also be used. With such encryption, if data are read from the memory by means of a successful attack, it will still be necessary to have the secret key in order to recover the plaintext values. This considerably increases the amount of effort that must be expended by an attacker, since he must either know where the key is stored or systematically read out all of the data present in the chip.

Attack and defense: encrypted storage of secret data
This example of an attack at the physical level is actually a textbook example of a defensive measure that is not particularly effective. The basic idea of this defense is that if it is possible to read out the EEPROM of a smart card, an attacker should at least be prevented from thereby learning secret data, such as a PIN or key. Naturally, there are preventive measures that can be taken. For example, the PIN can be simply encrypted using a one-way function, with the result being stored in the EEPROM as the reference value for PIN comparison. A card-specific key could be used for the one-way function, so that the reference data for two identical PINs would be different in two different cards. If the reference value is now read from the EEPROM, it would seem to be impossible to derive the PIN from this value. However, a clever attacker would not even take such an approach. If normal PINs consisting of four decimal digits are used, the number space of the PINs has a lower boundary of ”0000” and an upper boundary of ”9999”. This means that the number of possible PINs is exactly 10,000. If the attacker can read the entire memory of the smart card, he can also read the one-way function and its associated card-specific key.With this information, he can start encrypting all possible PINs using the one-way function. After an average of 5000 attempts, he will have obtained a result that matches the reference value in the smart card, which means he knows the PIN. As can be seen, in this case using a one-way function to store the PIN does not provide any significant benefit. The reason this mechanism is frequently used in practice is because it requires much more effort to read a large amount of data from a memory than only a few bytes for the PIN. Consequently, the keys in a smart card are frequently encrypted using a card-specific key before being stored in the card.