Hardware Security Requirements for Embedded Encryption Key Storage

by Craig Rawlings
Marketing Director
Kilopass Technology Inc.

Introduction

As the sophistication of global competitors and IP thieves in countries with weak IP protections increases, there exists an increased need for enhanced physical security for sensitive security information such as encryption keys. With hardware security as one of the new primary requirements for many, if not most, consumer SOC architectures, new questions are being asked of various memory technologies.

One of the most relevant to the topic of hardware security is, "How physically secure is the underlying memory technology?" Equally important is the question of securing sensitive encryption keys throughout the manufacturing process. These two hardware security factors are important since encryption is only as robust as the ability for any encryption based system to keep the encryption key hidden.

A new embedded permanent memory technology based on a standard logic CMOS antifuse provides unprecedented physical layer security for applications such as HDCP (High bandwidth Digital Content Protection) and AACS (Advanced Access Content System), both of which require unique encryption keys for each hardware device. The CMOS logic antifuse when combined with a robust key distribution, tracking, and management system tailored for the global semiconductor manufacturing supply chain provides end-to-end security for sensitive encryption keys from the licensor through to the end product.

A Case of Broken Security

As DVDs were popularized in the 1990s, Content Scramble System (CSS), a digital rights management scheme that aims to prevent the copying of material via encryption, was implemented within the DVD format for protecting media content from piracy. DVD movies, including extra features and menus, may be encrypted with CSS at the manufacturing plant when the discs are created. The DVD players then decrypt the encryption protected content when the DVD movie or feature is viewed.

In 1999, a teenager named Jon Johansen and two other hackers cracked the SCC code and posted the decryption software, DeCSS, on the internet making it possible for a large segment of the global public to make illegal copies of DVD movies which may be viewed on either a PC or standard DVD player. This software which breaks CSS was posted on the web for anyone to download. When legally blocked, the source code was subsequently posted as "art" or "artistic expression" (for anyone with a compiler) to get around legal injunctions against distributing the program as illegal software (see Figure 1 below). This series of events evoked the wrath of the movie industry (MPAA) and resulted in legal actions against Jon Johansen. The most serious damage to movie and media content creators occurs in countries where IP protections are weak, if non-existent.

As the use of digital media formats such as DVD becomes more popular, the protection of intellectual property (IP) and confidential data (CD), including encryption keys, are becoming a hot topic of discussion. Different industries have different security requirements and protect their IP and CD in different ways. While the movie industry uses CSS to encrypt DVD movies, cell phones may use 128 bit encryption over wireless channels and passwords for theft deterrence. Computers and PDAs may use password based methods to restrict access only to those authorized by the owner. Similarly, on-line banking and other web-enabled services must protect their customers from attackers and properly identify each customer and authorize the customer per their correct accounts. Identity theft is rapidly on the rise due to the use of an individual's social security number as a form of ID and the prevalence of password theft via spyware. Other vulnerable forms of IP include digital game producers' game software as well as computer software. Losses to the video game and computer software industries are potentially as damaging as to the movie industry if their respective anti-theft software security is broken.

Encryption and Hardware Security

Any physical device that provides secured access or use of licensed or protected media or of a licensed or protected application whether distributed as software or as a web-enabled application benefits significantly from hardware security. Since software is distributed and controlled by a vendor for use on general purpose hardware, when the software security is attacked and broken it is broken for all the general purpose hardware. New hardware security methods are being used to establish a layer of security that is unique for each device such that if security is broken for one hardware device only that individual hardware device is affected without affecting the general hardware population and the larger integrity of the security system.

In order to protect sensitive information, whether it is application or game software, a movie, music, or personal data, encryption is used to scramble the information. While many forms of encryption are used, all forms of encryption make use of passwords and/or encryption keys. These 'keys' are then used to scramble the sensitive information. While in ages past, keys to lock boxes used to protect such things as jewels and sensitive documents were well hidden in inconspicuous places in a residence or on a person's body, in our current electronic age, these keys are now hidden in non-volatile (permanent) memory. These electronic hiding places for keys have historically been such devices as EPROM, E2PROM, Flash, Hard Disk Drives (HDD), or possibly masked ROM. While solid state NVM devices increase physical layer security more than hiding places such as disk drives, they are still inherently simple to reverse engineer. For this reason, Flash memories are adding OTP (one-time programmable) memory technologies to their devices with physically secure NVM technologies such as Kilopass' XPM (Extra Permanent Memory). Simply stated, in order to protect the integrity of any security system, the keys for that system must be protected in the physical layer, the NVM where the keys are, in effect, 'hidden'.

Well may one ask, 'Why are keys so important to the integrity of a security system?' As an example, Scott Crosby at Carnegie-Mellon University has written an academic article that stresses the importance of keeping HDCP keys hidden in silicon.² This is due to the vulnerability of a cryptography system if a relatively small subset of that system's keys are identified or exposed.

These security factors lead to two hardware security imperatives:

1. Encryption keys such as HDCP keys need to include physical layer security intrinsic to the non-volatile memory technology used to store them; and
2. Encryption keys need to be secure from the point of origination (Central Authority or Licensor of the key) through to the internals of the target device (see Figure 2 above).

As indicated in the second hardware security imperative (refer to Figure 2), in order to protect sensitive keys during the manufacturing process prior to programming them into a physically secure NVM technology, key information is encrypted. Only the target device has built-in encryption needed to unlock a key. In this way, keys are protected throughout the semiconductor manufacturing supply chain whether they are programmed at wafer sort, in-package at test, or by an OEM manufacturer at the board level.

Physical Layer Security

Since hardware is by nature physical, it has been a significant challenge to hide keys or other valuable or sensitive information in hardware. If the owner of the hardware is trusted then it may be left to the owner to maintain security for the hardware system or device. The nature of consumer hardware products is such that it is difficult to assure possession of each hardware device or system by a trusted person.

For those involved in hardware security or attacks on hardware security, traditional methods of attack include the following methods:

1. Passive Attacks

• Glitching
• Power Analysis
• Data Permanence
  

2. Semi-Invasive Attacks

• UV Attacks
• Microscopy
• Fault Injection
• Voltage Contrast
• Magnetic Scan
  

3. Invasive Attacks

• Chip Modification
• Micro-probing
• Reverse-engineering
• Rear-side Approach

While designing for system level security may protect against many of these various forms of attack, there are a number of attacks at the device level that are more difficult to defend. De-processing of the device, microscopy, and side-channel attacks (such as power analysis) are sure methods for most hackers. Those with a higher degree of sophistication may resort to Voltage Contrast and Magnetic Scan, leaving invasive forms of attack for those with the highest levels of sophistication and budgets.

As indicated in Figure 3, due to the nature of Kilopass' patented CMOS Logic Antifuse or Extra Permanent Memory (XPM) bit cell, the checker board pattern used to program the devices used in all three photographs above do not show up under physical³ or electrical⁴ observation. This is due to the inherently small size of physical changes that occur to the CMOS transistor's gate oxide when programmed from its original "0" state to a programmed "1" state. Since the oxide break-down (antifuse) occurs in a random location within a bounded enclosure, and is extremely small, the state of the bit cell stays well hidden in the CMOS antifuse's silicon atoms. Likewise, because there is no charge stored as with Flash, EPROM, or E2PROM technologies, there is no charge to externally detect as a "1" state.

Most security experts highly prefer OTP memory technologies. This is due to the fact that state changes or programming "0"s to "1"s are destructive, as is the case with XPM. This may be used at the system level to prohibit tampering as well as to protect against side channel attacks and glitching.

This level of physical layer security at the non-volatile memory device level is unique to antifuse based technologies such as Kilopass' proprietary XPM technology.

Securing the Manufacturing Supply Chain

In spite of an NVM technology that provides security at the physical layer, if sensitive keys are exposed during the exchange of key information in the fabless semiconductor company's supply chain (Figure 4), the security scheme may be compromised or broken. This becomes more critical with technology industries with which the outsourcing of design and manufacturing in countries where legal IP protections are weak drive the need for system level protections in the final microelectronic product. In the case of DVI and HDCP Keys, the licensor charges a penalty of $1 million to $8 million per exposed key for this reason. This penalty is written into the HDCP key license in order to protect that system from the exposure of keys which could easily result in compromising the entire security scheme.

The combination of Certicom KeyInject™ and XPM Xtend™ for the secure key manufacturing, management, and tracking of devices with embedded encryption keys defends against key exposure and any liabilities assumed through the licensing of industry standard keys. Security keys are encrypted by KeyInject and communicated through secure server technology within the semiconductor manufacturer's supply chain. The XPM Xtend embedded IP decrypts sensitive information for processing by device that contains the XPM Xtend IP. All keys are tracked and managed for auditing by the manufacturer or Certificate Authority as needed.

Summary

For hardware security, these combined technologies provide an effective solution for both hardware security imperatives. While legal protections may protect sensitive information and IP, as experienced with the DVD case, the rapidly expanding global nature of technology raises the bar for security requirements by chip manufactures. As the importance of hardware security increases with high worth liabilities and broken security costs on both the chip manufacturers' side as well as with their customers, an effective technology based solution to this problem is needed.

The proprietary CMOS Logic Antifuse technology provided by Kilopass' XPM IP provides unprecedented physical layer security for embedded encryption keys. For the secure manufacturing of devices with embedded encryption keys, Certicom KeyInject™ and XPM Xtend™ provide end-to-end security throughout a chip manufacturer's supply chain.

Search for Kilopass IP here

About the Author

Craig Rawlings has more than 15 years of experience in the semiconductor industry. Prior to joining Kilopass, Craig held management and executive-level positions at Hewlett-Packard, Actel, Resilience, and Progress Software. Kilopass is Craig's fourth early stage start-up experience. Craig's first start-up right out of engineering school was Cericor which was later purchased by HP. He was also part of the initial team at Actel and led that company's business expansion in the US, Japan, and Asia Pacific participating in Actel's subsequent IPO. Craig holds a B.S.E.E. degree and a Masters of Business Administration from Brigham Young University.

¹ Source: Carnegie Mellon, CS Dept., http://www.cs.cmu.edu/~dst/DeCSS/Gallery/.
² A Cryptanalysis of the High-bandwidth Digital Content Protection System -- Scott Crosby, Ian Goldberg, Robert Johnson, Dawn Song, and David Wagner; Carnegie-Mellon University, Zero Knowledge Systems, and University of California at Berkeley.
³ Cross Section (top) and Top View (middle) represent TEM/SEM and a de-processed XPM cell, respectively.
⁴ FIB Voltage Contrast (bottom) represents the top view using this method of observation with only metal vias showing.