Post a Comment
News and New Products
IP protects chips from unauthorized manufacture
By Ron Wilson, Executive Editor -- EDN, 7/24/2006 6:00:00 AM
Pity the poor United States Department of Defense (DOD). After a long nap, during which it allowed institutional investors to set US industrial policy, this august body woke up recently to discover that potentially hostile countries were going to be fabricating the top-secret advanced ICs fundamental to its smart weapons programs.
This startling discovery spurred development of—what else—a request for research proposals (see for example this announcement). The problem is twofold: When sending secret chip designs to non-US foundries, how can the DOD be certain that the intellectual property stays secure and that none of the production chips fall into the wrong hands?
A related version of the latter problem arose in the commercial-IC industry several years ago, when it appeared that reject dice from manufacturing runs were leaking through the hands of unscrupulous individuals—possibly in the assembly and test business—onto the international gray market. The result, of course, was a customer-support headache for the original chip designer, as well as price dilution for the legal parts.
Certicom, a company with roughly 20 years of experience in ECC (elliptic curve cryptography), announced today that it is taking a serious cut at solving this second part of the DOD's problem. The solution will come in the form of a 20,000-gate cryptography core that worried design teams may embed in their chip designs. This core can be set to disable functions in the IC unless the chip receives a prearranged sequence of keys during the manufacturing process—say one key during wafer sort, one during package test, and one during board test. The keys would be provided directly and traceably to the points of use by Certicom's secure KeyInject system.
This scheme makes it prohibitively difficult, according to Certicom product manager Brian Neill, for an unauthorized party to activate chips that have not flowed through the full authorized manufacturing process and been issued keys with the knowledge of the designer. Therefore, chips that nefarious individuals divert from the production flow to the gray market will not function. Of course that would be true of defective chips as well, but at least with the Certicom core, the original designer can control what the unauthorized chips will and will not do.
The system works in a straightforward way, according to Neill. At predetermined points in the manufacturing process, the core—called a PCC (Production Control Core)—is interrogated for its serial number. In response to this number, the KeyInject system issues a key that is stored in one-time-programmable memory on the chip. This process may be repeated several times during the production flow, each time adding an additional key to the memory.
During the initial chip design, designers connect the outputs from the PCC to control lines that lead to critical areas of the die. At power-up, the PCC reads all its keys, authenticates them, and determines whether or not to enable the rest of the chip. Obviously, the system needs some provision for getting the chip to run in test mode before manufacturing is complete, but in general: no correct set of keys, no function.
This effectively protects against unauthorized diversion of chips, Certicom believes. It does not, however, protect against tampering with the chip to bypass the PCC. But in volumes that would make gray-market sale worthwhile, that would be prohibitively expensive. Nor does Certicom's PCC protect the IP within the chip; it makes no attempt to harden the device against probing or to detect exploits. That will be a separate problem for the DOD to solve.
Certicom provides the KeyInject system, which comprises redundant servers for the chip designer and terminals for the various manufacturing stations, starting at around $350,000 for a simple arrangement. The PCC carries a per-unit royalty based on the market value of the chip being protected.
