Embed Size (px)
DESCRIPTION
patent sample
Citation preview
lllllllllllllllllllllllllllllllllllll||ll|Illllllllllllllllllllllllllllllll US005533
United States Patent 1191 Force et al.
123A
Patent Number: 61] 5,533,123 [45] Date of Patent: Jul. 2, 1996
[54] PROGRAMMABLE DISTRIBUTED 4,926,388 5/1990 Kunita etal. ......................... .. 365/244 PERSONAL SECURITY 4,933,898 6/1990 Gilberg 6131. ....... .. 365/53
5,027,397 6/1991 Double et a1. . .... .. 380/4
[75] Inventors: Gordon Force’ San Jose’ Calif‘; 5,053,992 10/1991 Gilberg et a1. . ...... .. 365/53 D- l)avis7 Arlington’ Tex; 5,083,293 1/1992 Gilberg 61 al. ................... .. 365/189.01
. _ 5,117,457 5/1992 Comerford etal. . ..................... .. 380/3 Richard L. Duncan, Bedford, Tex., 5 159 629 10,1992 D M al 38014 Thomas M Norcross Arlin ton Tex' ’ ’ Ou- e at ' "
_ - _’ g 1 -’ 5,185,717 2/1993 Mon ................. .. . 365/52
Mwhael J~ ShayArhngwmTeXé 5,353,350 10/1994 Unsworth et a1. ........................ .. 380/3 Tlmothy A. Short, Duncanville, Tex. _ _ _ _
Primary Exammer-Dav1d C. C3111 [73] Assignee: National Semiconductor Corporation, [57] ABSTRACT
Santa Clara, Calif. The present invention is embodied in a Secured Processing
[21] APPL NO; 267788 Unit (SPU) chip, a microprocessor designed especially‘ for secure data processlng. By integraung keys, encrypuon/
[22] Filed: Jun. 28, 1994 decryption engines and algorithms in the SPU, the entire
[51] Int. Cl.6 . . . . . . . . . . . . . . . . . . . . . . . .. H04L 9/00 Sammy PTOFBSS 1S rend‘ired portable 3“? ets‘ly dlsmbmed
4_ across physical boundaries. The lnvention 18 based on the [52] UIS' Cl‘ """"""" " 380, ’ 380,52 orchestration of three interrelated systems: (i) detectors, [58] Field Of Search ...................................... .. 380/3, 4, 52 which alert thg SpU to the existence’ and help Characterize
_ the nature, of a security attack; (ii) ?lters, which correlate the [56] References Cited data from the various detectors, weighing the severity of the
UIS_ PATENT DOCUMENTS attack against the risk to the SPU’s integrity, both to its _ secret data and to the design itself; and (111) responses, which
4,446,475 5/1984 Gercekcl et al. ....................... .. 357/40 are Countermaasures’ calculated by the ?lters to be most
E1105‘; 6‘ a1- """"""""" " appropriate under the circumstances, to deal with the attack ’ ’ .eune """""" " or attacks present. The present invention, with wide capa
4,598,17O 7/1986 Piosenka et al. . 178/2208 b.1. . all hr f h d ?l d 4,691,350 9/1987 Kleijne etal. 380/3 ‘19’ m 1 6e 0 t 6 me???’ tars an IGSPOHSCS’ 4,764,959 8/1988 Watanabe 6161. 380/4 allows ?1 great degree of ?CXIPIhPY for Programmmg a? 4,783,801 11/1988 Kalll? ...................... .. 380/3 approp??te 19v91 9f S?CllnIy/pohcy 111“) an sPU-b?sed 39911 4,807,284 2/1989 Kleijne . . . . . . . . . . . . .. 380/3 Cation
4,811,288 3/1989 Kleijne et al. 365/52 4,860,351 8/1989 Weingart ................................... ._ 380/3 14 Claims, 19 Drawing Sheets
.
‘POWER ISOLATION ' 12 36
' _ MICRO
CONTROLLER
GENERAL PURPOSE
32 |/0 PORT
EXTERNAL 33 BUS INTERFACE
9/
ROM
RESET
20 SILICON FlREWALL
US. Patent Jul. 2, 1996 Sheet 2 of 19 5,533,123
23 VOUT VPP 24
191 22 vnn POWER , L ______ ___A_P_WF_?QD______ 40
21 VBAT swncumc ~ ------ "SEE-P ---- --41
ClRCUlT ALARM - ---------------- ~38
PWRGD 114 '27
105 1,102 28
)__ CHIP_ START PWRGD PWRUP A26
vccPwoP 10s COUNTER DLY__PWRGD 112
VREF ' RESET 115 Cm
cm SET_PWOP 4§} 25
110 109 108
cm START
PWRDN VCCPUD '*' 107 COUNTER ' s11$1TZPowN
‘RESET
104 /’ ‘
111 CLR_PWOP Q03
13
FIG. 2
US. Patent Jul. 2, 1996 Sheet 3 0f 19 5,533,123
710
/
INPUT 716 OUTPUT '/ 747/‘
A \712
FIG. 3
cLocT<\714 720
/ 722 724 / /
/ \ / 732 726 727 754
A /\ F 728 729 ' IG' 4
\ 730
740 /
742
744 7 1 46 756
D Q t>—i-— > ,754
/ 752
758 / “748
FIG. 5 H50
US. Patent Jul. 2, 1996 Sheet 6 0f 19 5,533,123
RTCLK RIPPLE COUNTER
RQLEQVER _ _
"32 ‘is
SYNC BLOCK
CLOCK__RTC CLEARRTC
303 \_
25
305 304
BUS INTERFACE CTR AND DECODER
INTERNAL 1O BUS
FIG. 8
U.S. Patent Jul. 2, 1996 Sheet 7 0f 19 5,533,123
802 ,L
806 ,805 DISABLE AccEss
/ NO" TO THE KEY EXECUTE OTHER
FIRMWARE PROGRAMS
, 810 INVER'HNG ALL THE BITS OF THE KEY
\ . s12
CHANGE THE KEY lNVERSlON STATUS BIT
,/814 ENABLE AccEss TO THE KEY
FIG. 9
US. Patent Jul. 2, 1996 Sheet 8 0f 19 5,533,123
CLOCK
US. Patent Jul. 2, 1996 Sheet 9 of 19 5,533,123
\/864- V866
l
856\ /865 /857
855 V
854 \
853 ll A l /
4 1 A
/ A350 852 l
0 1 2 3 4 5 0 1 2 3 4 5
862/
868 /
FIG. 11
US. Patent Jul. 2, 1996 Sheet 10 of 19 5,533,123
906 907 905
902 903 904
FIG. 12
)7/20 925 926 930
/ & 9/27 928 i 929 931
US. Patent
§MONOTONICITY TEST;
{CLOCK OROSS~OIIEOI<I
Jul. 2, 1996 Sheet 11 0f 19 5,533,123
START 55‘
READ BACK -/552 LAST RTC READINO
SIONAL “560A SECURITY -»—I PROBLEM -
RECORD PRESENT I 554 TIME AS
RTc READINO
‘ 5 PERFORM FIXED M 55 TASK OF I<NOwN SYSCLK DURATION
RECORD ‘A56 PRESENT TIME
AS END READINO
SIGNAL ‘A59 SEOLIRITY PROBLEM
I
C 5:3 558
FIG. 140
US. Patent Jul. 2, 1996 Sheet 12 of 19
( START >451
/252 ;
POWER UP, INITIALIZE SPU
PERFORM I MODIFICAITON 0515011011
PERFORM MODIFICATTON DETECTION
INORMAL OPERATING STATE;
5,533,123
IMANUFACTURING STATE}
EXECUTE ONLY COMMANDS
THAT RESTRICT‘ ACCESS TO SECRET DATA
ZEROIZE ALL SECRET DATA
AREAS. USE DEFAULT
CONFIGURATION. \ 256
ENABLE MANUFACTURING TEST AND SET CONFIGURATTON COMMANDS.
\ 263
PERFORM MANUFACTURING
TESTS
\ 264
LOAD SECRET DATA,
STORE MODIFICATTON
CODE \ 265
SET VRT=I
257 FIG. 14b END
US. Patent Jul. 2, 1996
351% START )
Sheet 13 0f 19
FIG. 15
READ BACK OUTPUT PORT REGISTERS
,/ 354
SAVE IN TEMPORARY STORAGE
./ 355
MOVE TEST NON-SECRET
DATA
./ 356
I
READ BACK OUTPUT PORT REGISTERS
3/ 357
MOVE NEXT PART OF SECRET
DATA
TRANSFER DATA ON BUS
CONVENTION ALLY
ABORT, SIGNAL
SECURITY PROBLEM
END
362
361
5,533,123
-/ 553
US. Patent
FIG. 16
Jul. 2, 1996
START 4m
I
SET l/O PORT BTT x To 1
Sheet 14 0f 19
/402
,
READ l/O PORT BIT x
SECURITY PROBLEM
ABORT, SIGNAL
END 407
V404
/ 406
5,533,123
US. Patent Jul. 2, 1996 Sheet 15 0f 19 5,533,123
940 START
‘
SET vALUES »I/ 942 OF THE LIMIT
PARAMETERS
,/ 948 PROCESS
vALIO COMMAND
CALCULATE / 950 NUMBER OF
INVALID COMMANDS/UNIT TTME
SIGNAL /954 A FIRST LIMIT
SECURITY PROBLEM
SIGNAL /958 A SECOND LIMIT SECURITY PROBLEM
SIGNAL /962 THIRD LIMIT 7
SECURITY PROBLEM
SIGNAL 1/966 FOURTH LIMIT
SECURITY PROBLEM
US. Patent
HARDWARE
Jul. 2, 1996 Sheet 16 0f 19 5,533,123
INTERRUPT FIRMWARE HARDWARE/ FIRMWARE
‘?
,/463
/ 459
RETURN FROM‘ INTERRUPT S‘GNAL
\
C4: 458
FIG. 18
US. Patent
FIG. 190
FIG. 19b
FIG. 19c
Jul. 2, 1996 Sheet 17 of 19 5,533,123
501
j / 502
D0 v\\ A0 :’
505 j 504
Db I ® 505
7/ D01
5/06 508 509 510
DC2 FC1
507 /
D03
I/\ A I \
<9} 7 R0 3/ 512 L _ _ _ - =
515 A _
<6; Re 514
US. Patent Jul. 2, 1996 Sheet 18 of 19 5,533,123
1026 /
MESSAGE TO Y USER, TRANSFER TO OTHER CARD Row
{ . POWER . T
6) STATE; S ATE} 1027 N
FIG. 200
U.S. Patent
MESSAGE To’ USER, NOT TO‘ DO IT AGAIN
Jul. 2, 1996
__@/1040
@1038 DISABLE
PERMANENTLY \1036
1
LM 1037
Sheet 19 0f 19 5,533,123
FIG. 20:] FIG. 20b
KEY TO FIG. 20
FIG. 20b
