White Paper

_1.ll
lll Raising the Bar for Hardware Security:
Physical Layer Security in Standard CMOS

March 3, 2008 Author: Craig Rawlings

Marketing Director
Kilopass Technology Inc.

Introduction
As the sophistication of attacks on secured systems extends to the international electronic borders, there exists
an increased need for enhanced physical layer security in silicon in order to protect sensitive information such
as encryption keys used in most security systems. With hardware security as one of the new primary
requirements for many, if not most, system architectures, new questions are being asked of various memory
technologies in order to prohibit the reverse engineering or break down of the overall system for the life of that
security system, standard, and/or protocol.
One of the most relevant questions to the topic of hardware security is, "How physically secure is the
underlying memory technology?" Equally important is the question of securing sensitive encryption keys
throughout the manufacturing process. These two hardware security factors are important since encryption is
only as robust as the ability for any encryption based system to keep the encryption key hidden.
A new embedded permanent memory technology based on a standard logic CMOS antifuse provides
unprecedented physical layer security for security applications such as HDCP (High bandwidth Digital Content
Protection) and AACS (Advanced Access Content System), both of which require unique encryption keys for
each hardware device. While these are commercial security standards used to protect digital media in the
consumer marketplace, the same principals apply to the public sector. A CMOS logic antifuse technology,
developed and patented by Kilopass, when combined with a robust key distribution, tracking, and management
system, tailored for semiconductor manufacturing, provides end-to-end security for sensitive encryption keys
from the author or originator of the encryption key through to the end product.

Cases for Broken Security

United Kingdom. In November of 2007, the British government was forced to admit a fundamental breach of
faith between the state and citizen, when the U.K. government disclosed that the personal records of 25 million
individuals, including their dates of birth, addresses, bank accounts and national insurance numbers had been
lost in the post. This security breach opened up the threat of mass identity fraud and theft from personal bank
accounts and caused a British national stir. MPs in the British parliament gasped when the chancellor, Alistair
Darling, told the Commons that discs containing personal details from 7.25 million families claiming child
benefit had been lost. These sensitive records went missing in the internal post after a junior official at HM
Revenue & Customs in Washington, Tyne and Wear, breached all government security rules by sending them
by courier to the National Audit Office in London. All banks and building societies were alerted and the news of
this security catastrophe publicized to warn citizens in the U.K. of the possibility of raids on their bank accounts.
DVD Media Protection Standard (CSS). As DVDs were popularized in the 1 990s, Content Scramble System
(CSS), a digital rights management scheme that aims to prevent the copying of material via encryption, was
implemented within the DVD format for protecting media content from piracy. DVD movies, including extra
features and menus, may be encrypted with CSS at the manufacturing plant when the discs are created. The
DVD players then decrypt the encryption protected content when the DVD movie or feature is viewed.

978-1-4244- 1978-4/08/$25.00 02008 IEEE 263

In 1999, a teenager named Jon Johansen and two other hackers cracked the SCC code and posted the
decryption software, DeCSS, on the internet making it possible for a large segment of the global public to make
illegal copies of DVD movies which may be viewed on either a PC or standard DVD player. This software
which breaks CSS was posted on the web for anyone to download. When legally blocked, the source code
was subsequently posted as "art" or "artistic expression" (for anyone with a compiler) to get around legal
injunctions against distributing the program as illegal software (see Figure 1 below). This series of events
evoked the wrath of the movie industry (MPAA) and resulted in legal actions against Jon Johansen. The most
serious damage to movie and media content creators occurs in countries where IP protections are weak, if
non-existent.
As the use of digital media formats such as DVD becomes more popular, the protection of intellectual property
(IP) and confidential data (CD), including encryption keys, are becoming a hot topic of discussion. Different
industries have different security requirements and protect their IP and CD in different ways. While the movie
industry uses CSS to encrypt DVD movies, cell phones may use 128 bit encryption over wireless channels and
passwords for theft deterrence. Computers and PDAs may use password based methods to restrict access
only to those authorized by the owner. Similarly, on-line banking and other web-enabled services must protect
their customers from attackers and properly identify each customer and authorize the customer per their
correct accounts. Identity theft is rapidly on the rise due to the use of an individual's social security number as a
form of ID and the prevalence of password theft via spyware. Other vulnerable forms of IP include digital game
producers' game software as well as computer software. Losses to the video game and computer software
industries are potentially as damaging as to the movie industry if their respective anti-theft software security is
broken.

Figure 1. DeC55 Source Code on T-Shirt and DVD Logo Artwork'

Encryption and Hardware Security
Any physical device that provides secured access or use of licensed or protected media or of a licensed or
protected application whether distributed as software or as a web-enabled application benefits significantly
from hardware security. Since software is distributed and controlled by a vendor for use on general purpose
hardware, when the software security is attacked and broken it is broken for all the general purpose hardware.
New hardware security methods are being used to establish a layer of security that is unique for each device
such that if security is broken for one hardware device only that individual hardware device is affected without
affecting the general hardware population and the larger integrity of the security system.
In order to protect sensitive information, whether it is application or game software, a movie, music, personal,
or the state's data, encryption is used to scramble the information. While many forms of encryption are used,
all forms of encryption make use of passwords and/or encryption keys. These 'keys' are then used to
scramble the sensitive information. While in ages past, keys to lock boxes used to protect valuables and
sensitive documents, in our current electronic age, these keys are now hidden in non-volatile (permanent)
memory. These electronic hiding places for keys have historically been such devices as EPROM, E2PROM,
Flash, Hard Disk Drives (HDD), or possibly masked ROM. While solid state NVM devices increase physical
layer security more than hiding places such as disk drives, they are still inherently simple to reverse engineer.
For this reason, Flash memories are adding OTP (one-time programmable) memory technologies to their
devices, utilizing physically secure NVM technologies such as Kilopass' XPM (X-tra Permanent Memory).
1
Source: Carnegie Mellon, CS Dept., hc
264
Simply stated, in order to protect the integrity of any security system, the keys for that system must be
protected in the physical layer, the NVM where the keys are, in effect, 'hidden'.

SKU
Eri'ryptio6Key

Kil pass XPM

Key Store
~~~ustom

-E-

Figure 2. Encryption of Keys for Global Supply Chain Manufacturing

Well may one ask, 'Why are keys so important to the integrity of a security system?' As an example, Scott
Crosby at Carnegie-Mellon University has written an academic article that stresses the importance of keeping
HDCP keys hidden in silicon 2 This is due to the vulnerability of a cryptography system if a relatively small
.

subset of that system's keys are identified or exposed.

These security factors lead to two hardware security imperatives:

1. Encryption keys such as HDCP keys need to include physical layer security intrinsic to the non-volatile
memory technology used to store them; and
2. Encryption keys need to be secure from the point of origination (Central Authority or Licensor of the
key) through to the internals of the target device (see Figure 2 above).
As indicated in the second hardware security imperative (refer to Figure 2), in order to protect sensitive keys
during the manufacturing process prior to programming them into a physically secure NVM technology, key
information is encrypted. Only the target device has built-in encryption needed to unlock a key. In this way,
keys are protected throughout the semiconductor manufacturing supply chain whether they are programmed at
wafer sort, in-package at test, or by an OEM manufacturer at the board level.

Physical Layer Security

Since hardware is by nature physical, it has been a significant challenge to hide keys or other valuable or
sensitive information in hardware. If the owner of the hardware is trusted then it may be left to the owner to

2 A Cryptanalysis of the High-bandwidth Digital Content Protection System -- Scott Crosby, Ian Goldberg,
Robert Johnson, Dawn Song, and David Wagner; Carnegie-Mellon University, Zero Knowledge Systems, and
University of California at Berkeley.

265
maintain security for the hardware system or device. The nature of consumer hardware products is such that it
is difficult to assure possession of each hardware device or system by a trusted person.
For those involved in hardware security or attacks on hardware security, traditional methods of attack include
the following methods:
1. Passive Attacks
* Glitching
* Power Analysis
* Data Permanence
2. Semi-Invasive Attacks

* UV Attacks
* Microscopy
* Fault Injection
* Voltage Contrast
* Magnetic Scan
3. Invasive Attacks
* Chip Modification
* Micro-probing
* Reverse-engineering
* Rear-side Approach
While designing for system level security may protect against many of these various forms of attack, there are
a number of attacks at the device level that are more difficult to defend. De-processing of the device,
microscopy, and side-channel attacks (such as power analysis) are sure methods for most hackers. Those
with a higher degree of sophistication may resort to Voltage Contrast and Magnetic Scan, leaving invasive
forms of attack for those with the highest levels of sophistication and budgets.
As indicated in Figure 3, due to the nature of Kilopass' patented CMOS Logic Antifuse or Extra Permanent
Memory (XPM) bit cell, the checker board pattern used to program the devices used in all three photographs
above do not show up under physical3 or electrical4 observation. This is due to the inherently small size of
physical changes that occur to the CMOS transistor's gate oxide when programmed from its original "0" state
to a programmed "1" state. Since the oxide break-down (antifuse) occurs in a random location within a
bounded enclosure, and is extremely small, the state of the bit cell stays well hidden in the CMOS antifuse's
silicon atoms. Likewise, because there is no charge stored as with Flash, EPROM, or E2PROM technologies,
there is no charge to externally detect as a "1" state.
Most security experts highly prefer OTP memory technologies. This is due to the fact that state changes or
programming "0"s to "1Is are destructive, as is the case with XPM. This may be used at the system level to
prohibit tampering as well as to protect against side channel attacks and glitching.

Cross Section (top) and Top View (middle) represent TEM/SEM and a de-processed XPM cell, respectively.
FIB Voltage Contrast (bottom) represents the top view using this method of observation with only metal vias
showing.

266
 Figure 3. Lack of Physical Observe-ability of XPM Bit Cell State
This level of physical layer security at the non-volatile memory device level is unique to antifuse based
technologies such as Kilopass' proprietary XPM technology.

Securing the Manufacturing Supply Chain

In spite of an NVM technology that provides security at the physical layer, if sensitive keys are exposed during
the exchange of key information in the fabless semiconductor company's supply chain (Figure 4), the security
scheme may be compromised or broken. This becomes more critical with technology industries with which the
outsourcing of design and manufactunng in countnes where legal IP protections are weak drive the need for
system level protections in the final microelectronic product. In the case of DVI and HDCP Keys, the licensor
charges a penalty of $1 million to $8 million per exposed key for this reason. This penalty is written into the
HDCP key license in order to protect that system from the exposure of keys which could easily result in
compromising the entire security scheme.

267
 Figure 4. Securing Encryption Keys in Semiconductor Mfg. Supply Chain
The combination of Certicom KeylnjectTm and XPM XtendTM for the secure key manufacturing, management,
and tracking of devices with embedded encryption keys defends against key exposure and any liabilities
assumed through the licensing of industry standard keys. Security keys are encrypted by Keylnject and
communicated through secure server technology within the semiconductor manufacturer's supply chain. The
XPM Xtend embedded IP decrypts sensitive information for processing by device that contains the XPM Xtend
IP. All keys are tracked and managed for auditing by the manufacturer or Certificate Authority as needed.

Summary
For hardware security, these combined technologies provide an effective solution for both hardware security
imperatives. While legal protections may protect sensitive information and IP, as experienced with the DVD
case, the rapidly expanding global nature of technology raises the bar for security requirements by chip
manufactures. As the importance of hardware security increases with high worth liabilities and broken security
costs on both the chip manufacturers' side as well as with their customers, an effective technology based
solution to this problem is needed.
The proprietary CMOS Logic Antifuse technology provided by Kilopass' XPM IP provides unprecedented
physical layer security for embedded encryption keys. For the secure manufacturing of devices with
embedded encryption keys, Certicom KeylnjectTm and XPM XtendTM provide end-to-end security throughout a
chip manufacturer's supply chain.

© 2008 Kilopass Technology Inc. All rights reserved. XPM, the Kilopass name and the Kilopass logo are registered trademarks.
Certicom, Certicom Keyinject, and Keyinject are all registered trademarks of Certicom Corp. All other trademarks and registered
trademarks are the property of their respective owners.

268