Dynamic analyses of smart card microcontrollers
Protection: monitoring the passivation layer
A passivation layer is placed on top of the microcontroller in the silicon at the conclusion of the fabrication process. This layer impedes oxidation (due to atmospheric oxygen) and other chemical processes at the surface of the chip. The passivation layer must always be removed before any sort of manipulation of the chip can be performed. It should be borne in mind that although it is possible to chemically remove the passivation layer, the chip is then exposed to a major risk of oxidation, which can destroy it relatively quickly. A sensor circuit can employ resistance or capacitance measurements to determine whether the passivation layer is still present. If it is missing or damaged, this can either trigger an interrupt to the chip software or cause the complete hardware of the chip to be shut down, which reliably prevents any sort of dynamic analysis.

Protection: voltage monitoring
A voltage monitor is present in every smart card microcontroller. It provides a well-defined shutdown of the IC if the supply voltage exceeds its allowed lower or upper limits. This gives the software the assurance that it is not possible to operate the chip in marginal regions in which the chip may not function properly.Without such a voltage monitor, it would be possible for the program counter to become unstable when the chip was operated in a marginal region, leading to uncontrolled program jumps or plain computation errors in the processor. Such faulty behavior could be used to determine secret keys by using the technique of differential fault analysis (DFA), which is described elsewhere in this book. For this reason, it is important for the voltage monitor to also be able to detect very brief voltage peaks or dropouts, in order to protect against typical attacks involving the intentional introduction of processor errors. As an example, in the case of a smart card intended to be used with a supply voltage of 3–5 V, the usual shutdown thresholds are 2.3 V and 6.3 V. These value lie slightly outside the range of 2.7–5.5 V specified by various standards, in order to allow for tolerances in sensor calibration during semiconductor fabrication. Voltage monitoring in particular is highly important for the security of the microcontroller. A conceivable method of attack would be to first use a focused ion beam (FIB) or similar tool to disable the relevant detectors and then start the actual attack. For this reason, the components that are vital to the security of the microcontroller are often specially protected so that manipulation can be detected, causing the smart card to automatically deactivate itself. Another type of sensor that is partly based on the voltage detector is the power-on detector. This detector, which is also present in all chips, recognizes a power-on condition independently of the external reset signal and ensures that the chip is always placed in a defined initial state when power is first applied. The reasons for doing this are similar to those for using voltage monitoring.

Protection: frequency monitoring
A smart card is always driven by an external clock, so its processing speed is completely determined outside the card. This means that, at least in theory, it is possible to operate the microcontroller in single-step mode. This would provide outstanding opportunities for analyzing the microcontroller, in particular by measuring its current consumption while it is operating (power analysis) and measuring electrical potentials on the surface of the chip. In order to prevent such attacks, a functional component for detecting underfrequency and overfrequency conditions is built into the chip. This eliminates the possibility of reducing the clock rate to unallowable levels. The minimum clock rate stated in most specifications is 1 MHz. However, for technical reasons the underfrequency detector has a wide tolerance range, so the chip usually stops working at around 500 kHz. This ensures that the chip will always work at the minimum specified clock rate of 1 MHz. The upper frequency limit is 5 MHz in most specifications, and typical overfrequency detectors disable the chip at a frequency of approximately 7 MHz. Modern microcontroller hardware is often built such that the chip cannot be used if the clock rate is too high. In order to protect the microcontroller against the dangers of single-step operation, it is naturally necessary to secure the underfrequency detector with protective layers, so that any attempt to tamper with the detector will be recognized. Protection: temperature monitoring Atemperature sensor is used in some types of chips, but the benefit of such a sensor is debatable. The chip will not be damaged if the temperature briefly exceeds the specified operating range, and this does not in itself represent an attack. Shutting down the chip in this marginal situation, however, could lead to an artificially increased failure rate without providing the operator of the smart card system with any additional security.

Protection: bus scrambling
In many smart card microcontrollers, the internal busses that drive the memory are scrambled. This means that the individual bus lines are not laid out next to each other in increasing or decreasing order, but are instead arranged randomly next to each other and ‘swapped’ several times, or even arranged in several layers on top of each other. This represents an additional hurdle for a potential attacker, who does not know which bus line is associated with which address bit or function. Scrambling the bus lines was originally introduced only in a static version, with the same scrambling scheme used on every chip. With static scrambling, it would probably not be all that difficult for an attacker to discover the scrambling scheme over a moderate length of time, and thus be able to take it into account when tapping the busses. The security provided by this technique can be improved by using chip-specific scrambling. This is naturally not achieved by using a different set of exposure masks for the busses of each chip, since this is currently either not technically possible or affordable. Instead, scrambling is performed by randomizer circuits located just ahead of the memory. These can be driven by the chip serial number, for example. This technique is not difficult in terms of semiconductor technology, and it makes life considerably more difficult for someone who tries to tap the bus. Using variable input values for the randomizer makes it possible to achieve chip-specific and session-specific scrambling.

Protection: irreversible switching from the test mode to the user mode
All microcontrollers have a test mode that is used for verifying the chips during the fabrication process, and for executing internal test programs while the semiconductors are still in the wafer or after they have been packaged in modules by the manufacturer. The test mode allows types of access to the memory that are strictly forbidden when the chips are later in actual use. However, for technical production reasons, it is an unavoidable requirement to be able to read data from the EEPROM in this mode. The change from the test mode to the user mode must be irreversible. This can be realized by using a polysilicon fuse on the chip. In this case, a voltage is applied to a test point on the chip that is provided for this purpose, and this voltage causes the fuse to melt through. The chip is thus switched into the user mode using hardware. Normally, this cannot be reversed. However, a fuse is by its nature a relatively large structure on the surface of the chip. It is conceivable that the fuse could be mechanically bridged after the removing the part of the passivation layer that covers the fuse. This would put the microcontroller back into the test mode, and the memory could be read out using the extended access options available in this mode. If the complete content of the memory is known, it is easy to clone the smart card that has been read out. In order to defend against this type of attack, most semiconductor manufacturers have adopted the practice of reserving a portion of the EEPROM for the switchover mechanism, in addition to using a fuse. If a certain unalterable value is located in this part of the memory, the chip has been irreversibly switched to the user mode. Even if the fuse is bridged over, the chip will not return to the test mode, since the additional logical switch in the EEPROM prevents this. The security of the switchover from the test mode to the user mode can be increased even further by a very simple measure. If the microcontroller chip is laid out on the wafer such that the test pads needed to make contact with the chip for performing the tests are simply sawn off when the wafer is divided into individual dice, neither a fuse nor any EEPROM cells are needed to switch between the modes, since the elements needed for the test mode will no longer be present. It is also be possible to replace the fuse that switches from the test mode to the user mode by a track that is irreversibly broken when the dice are sawn from the wafer. With present-day technology, it is not possible to make a connection to a sawn-through track on the edge of a chip.

Dynamic analysis and defense: tapping the memory busses of the microcontroller
Before the busses between the CPU and the memories of the microcontroller (ROM, EEPROM and RAM) can be tapped, the chip must be exposed and the passivation layer on the top surface of the chip must be removed. The passivation layer protects the chip against oxidation, but it also protects the chip against attack, since its integrity is monitored by sensors. According to Anderson and Kuhn [Anderson 96b], it can be removed by etching with hydrofluoric acid. In addition, a laser cutter10 can be used to selectively cut openings in the passivation layer at the necessary locations. After the passivation layer has been removed from the entire surface of the chip, or only from selected locations, it would be at least theoretically possible to make contact with the address, data and control busses for the memory using microprobe needles. If it is possible to make electrical connections to all the lines of these three busses, it is very easy to address the individual memory cells and to read any desired regions of the ROM and EEPROM. The chip does not have to be powered for this, and any desired type of connection jig can be used. The consequences of a successful attack using this method would be serious, since in principle it would make all the secret data in the non-volatile memory readable. This method could be extended by making connections to the busses and then operating the chip in the normal manner. In this way, it would be possible to eavesdrop on the complete data traffic between the CPU and the memories, and this could be recorded using a sufficiently fast logic analyzer. As already indicated, it is very difficult to make electrical contact with the individual tracks on the chip. With an 8-bit microcontroller, the number of connections needed for this attack is 16 for the address bus, 8 for the data bus and 1 to 4 for the control bus. In total, at least 25 simultaneous connections would have to be created between an external analysis computer and the tracks on the chip. Even with modern micromanipulator technology, this is currently not possible, due to the very small dimensions of the semiconductor structures. However, it would be possible to use a focused ion beam (FIB) generator, which is commonly used in the semiconductor industry, to implant a sort of electrically conductive contact surface for each bus line. These surfaces then could be used as contact points for microprobe needles. However, the effort required for this is enormous. Even if an attacker succeeded in making these connections, he would still have to determine how the busses have been scrambled before he could successfully read the data. This is because the individual bus tracks are not arranged on the chip in an orderly fashion next to each other, but are instead arranged in an externally unrecognizable manner. If markedly improved technology in the future should make it possible to make connections to the busses of current microcontrollers, that would probably not have any effect on security, since by that time semiconductor structures will have become significantly finer than they presently are. In addition, micromechanical technology will probably always lag behind semiconductor technology, which is based on optical processes. This means that even in the future, this sort of attack will probably not be suitable for significantly weakening the security of smart cards.

Dynamic analysis and defense: measuring the current consumption of the CPU
Already in 1995, in the first edition of this book, the following statement appeared at this point: ‘The design of the processor is also crucial with regard to security. A smart card processor must have nearly the same current consumption for all machine instructions. Otherwise, conclusions can be drawn regarding the instruction being processed, based on the current consumption. A certain amount of secret information can be deduced from these conclusions.’ The fact that it is possible to draw conclusions about the instructions being executed by a processor, and even about the data being processed, by analyzing the current consumption of the processor while it is executing instructions, was thus already known for several years when Paul Kocher, Joshua Jaffe and Benjamin Jun published a paper on simple power analysis (SPA) and differential power analysis (DPA) in June of 1998 [Kocher 98]. The working principle of simple power analysis is relatively straightforward. The current consumption of the microcontroller is determined by measuring the voltage drop across a resistor connected in series with the power supply. Measurements are made at high time resolution using an analog-to-digital converter. With a high-performance processor, such as a Pentium or PowerPC, it would not be possible to draw any conclusions about the instructions being executed, due to the complexity of the internal processes. However, the relatively simple structures of the 8051 and 6085 CPUs used in smart card microcontrollers result in measurable and thus interpretable variations in current consumption, according to the instructions and data being processed. To help clarify the principle, imagine that a particular program sequence with a particular set of data always produces the same plot of processor current versus time. If the same program is then run using different data, the plot of current versus time
will be different. This variation is used to determine which data have been processed by the program. Differential power analysis (DPA) can reveal even finer differences in the current consumption of a microcontroller than simple power analysis. With the DPA technique, the current consumption is first measured while the microcontroller is processing known data, and then again while it is processing unknown data. The measurements are repeated many times, so that the effects of noise can be eliminated by taking average values. The differences are calculated once the measurements have been completed, and conclusions regarding the unknown data are drawn from the results.

In the paper by Kocher et al., ‘high-order differential power analysis’ (HO-DPA) is mentioned as a further extension of DPA. This involves measuring not only the current consumption of the microcontroller, but also other variables that depend on the program being executed by the processor, such as the electromagnetic radiation of the chip. The measurement information collected in this manner using both known and unknown data can be used in the same way as in the DPA technique to calculate differences, which can then be used to compute the unknown data. These three types of power analysis for smart card microcontrollers represent very serious forms of attack on hardware and software that have not been protected by suitable countermeasures. This is because the current consumption of some microcontrollers is definitely dependent on the machine instructions being executed and the data being processed by the instruction. In addition, the cost and complexity of the equipment needed for a successful attack using this method is relatively limited. However, there are several effective countermeasures based on suitably improved hardware and modified software. The simplest hardware solution is to incorporate a fast-acting voltage regulator in the chip that uses a sense resistor to monitor the current drawn by the microcontroller and ensures that it is independent of the instructions and data. Artificial noise current generators on the chip are also an effective solution. A technically more complicated solution is to use a modified processor design that always draws a constant current. However, all of these approaches slightly increase the power consumption of the microcontroller, which is undesirable in certain application areas, such as telecommunications. An alternative, simpler defense measure can be to activate certain components of the microcontroller that are not needed for the actual process while performing SPA/DPA-critical processes. The CRC checksum generator or numerical coprocessor could be used for this purpose, using random data as input values in order togenerate artificial noise in the current consumption. Using randomly generated delays (random wait states) in the processor considerably increases the difficulty of synchronizing the data obtained from current analysis, without increasing the chip’s current consumption. A similar approach can be used with smart card microcontrollers that have their own on-chip clock generators, by continuously and randomly varying the clock frequency within certain limits. There is presently an immense range of possible software countermeasures. Here we can describe a fewrepresentative examples. The simplest approach is to use only machine instructions that have very similar current consumptions. In this case, machine instructions whose current consumption is significantly different from the average level are not allowed to be used in the assembler code. Another approach is to have several different, randomly selected procedures for performing the same computations in cryptographic algorithms. This makes it considerably more difficult for the observer to recognize a correlation between known and unknown machine instructions or processed data. In order to make it more difficult to obtain the data needed to successfully perform a power analysis, all keys should be protected by irreversible retry counters. In addition, it is necessary to block free access to all commands (such as INTERNAL AUTHENTICATE) that can be used to pass any desired data through a cryptographic algorithm in the smart card. If it is essential to use commands of this sort for some reason, the smart card must test the authenticity of the terminal before executing them. Restricting the use of the available commands also makes it more difficult to collect reference data for a subsequent power analysis.

As a matter of principle, secret data should never be processed bitwise, since doing so considerably simplifies SPA/DPA analysis. When keys have to be loaded into the registers of a cryptoprocessor, in some implementations they are intermixed with random numbers that are also loaded in these registers as dummy values, in order to render the corresponding measurements meaningless. Of course, the true keys must be located in the registers at the end of the loading process. SPA/DPA techniques are not just limited to ferreting out secret data stored in smart cards. They can also be used for purposes such as convincingly demonstrating that specific program code is used in a smart card. This is done by making an SPA analysis of the function in question in the smart card and comparing the current consumption plot obtained in this manner with the plot for a reference card. Even if the source code is not known, under favorable conditions this technique can for example be used to prove that segments of program code from an outside source are being used in a competitor’s product. The technical basis for this is the fact that generally speaking, the machine code produced from the same source code by a given compiler will also be the same. The differences arising from the subsequent linking process, due to the almost certain differences in code localization in the memory, are relatively small. Testing software in smart cards for resistance to SPA/DPA attacks has presently reached a high level of refinement and thus taken on the character of a specialist discipline. It has become common for measurements to be made periodically during software development, with the software being modified as necessary according to the results of the measurements in order to defeat SPA/DPA attacks. At the early stages of development, measurements are made with the software in EEPROM, and the analyses are repeated and refined when the first samples are obtained from the semiconductor manufacturer with the software in theROMof the microcontroller. This is because experience has shown that this aspect is definitely significant with regard to SPA/DPA measurements. By their nature, SPA and DPA can be used for more than just mounting attacks on cryptographic algorithms. Both methods are also very suitable for analyzing all activities of the processor. With suitable experience and equipment, it is even possible to determine the data involved in copy operations within the memory of a smart card that is not resistant to these types of attack.

Analysis and defense: measuring the electromagnetic radiation of the CPU
It is at least theoretically possible to draw conclusions about the internal processes of the smart card microcontroller from measurements of its electromagnetic radiation, in the same manner as with differential power analysis. Magnetic fields with small dimensions and strengths can be measured using SQUIDs (superconducting quantum interference devices). However, this is technically enormously difficult, and the knowledge of the internal structure of the semiconductor device that is indispensable for this method is not generally available. In addition, ICs can be very effectively protected against this sort of attack by stacking several traces on top of each other, so that even if a magnetic field can be measured, it is not possible to determine which of the tracks is actually carrying the associated current.