A security chip must be able to store security-critical data – for example keys, personal data or biometric information – and be able to protect the system in a wide range of totally different application fields. Until now, companies have focused on protecting on-chip data from criminal attack by concealing it. Sensors have been used to recognize such attacks and to protect sensitive data from consequent manipulation. However these methods no longer meet the very high security requirements that exist today.
Back in 2008, to protect data more effectively, Infineon developed a completely new approach to security with “Integrity Guard”. This now proven technology is based on digital security and displays two revolutionary innovations. Infineon engineers have succeeded in creating a security technology that not only encrypts the data on the security controller but can also process the data while it is encrypted. Even if malicious attackers “eavesdrop” on the data signals, they only receive encrypted, and therefore incomprehensible, information.
“Integrity Guard” is a security technology that has been inspired by the information storage and information processing of a living cell; the actual inspiration for the concept was the double helix of a human cell. The idea behind it is simple enough – every biological cell is comparable to a “secure computer” that must safely store and process genetic information.
The technical realization of this innovation equips controllers with robust digital mechanisms to protect secure data and to monitor security conditions. Utilizing the “Integrity Guard”, the controller reacts autonomously on security threats. At the core of this self-checking design is a double CPU that performs a continuous self-check of all operations. This self-checking actually results in ‘integrity protection’ – hence the name “Integrity Guard”.
Another key element of“Integrity Guard” is the comprehensive encryption over the whole data path, leaving no plaintext on the chip.
“Integrity Guard” encryption goes much further than conventional concepts and for the first time in chip card history even calculates with encrypted numbers in the CPU itself.
In addition to the complete encryption of the entire data path (CPUs, memories, caches and buses), these high security controllers have two CPUs and a refined error-detection system. The two units continually monitor each other, and should a unit detect that an operation has not been properly executed due to a criminal attack, it initiates the corresponding countermeasures. In this case, the chip immediately stops the ongoing processes and triggers an alarm. This makes it possible to ward off the most varied kinds of attacks.
New Digital Security features
Thanks to the totally new scope of their digital security features, controllers with “Integrity Guard” meet very high security requirements. Their robust design overcomes the disadvantages of analog security technologies. Full on-chip encryption, including encrypted calculation in the CPU itself and full error-detection capabilities over the complete core architecture provides the basis for the efficient protection of sensitive data against external attacks.
Full Error detection
“Integrity Guard” security chips are the first of their kind to be equipped with a full error detection capability for the complete data path. A dual CPU approach allows error detection even while processing – the CPUs constantly check each other to establish whether the other unit is functioning correctly. Relevant attack scenarios can be detected, whereas things that would not lead to an error are more or less ignored. Thus the risk of false alarms – a significant disadvantage in conventional solution concepts – is significantly reduced. The approach includes error detection and correction throughout the entire system.
The security controllers with Infineon’s “Integrity Guard” are equipped with full encryption over the complete CPU core and the memories – meaning no more plain data is left on the chip. It is the first time ever in commercial security controllers that the two CPUs have utilized fully hardware-encrypted calculation, and with different dynamic secret keys. This process is only possible because Infineon, which allows the integration of real encrypted operations, has implemented the CPUs from scratch.
In signal protection, the main objective is to reduce to the minimum the attractiveness of the signals for the attacker. This is done by means of full encryption. Attackers can neither manipulate nor eavesdrop on encrypted signals. Never the less, in every chip there are signals that are more important than others, so an Infineon-specific shielding, combined with secure wiring, has been developed. With this method, first all the signals are classified according to their value for the attacker. In a second step, during the design of the chip, the more interesting signals are automatically routed under less valuable lines. Subsequently, an intelligent shielding algorithm finishes the upper layers, completing the so-called I2-shield (Intelligent Implicit shield).
Towards durable security
For the challenges on the path toward durable and lasting security, a professional approach is necessary in order to evaluate the future of attacks and suitable countermeasures. When developing new product families, the planned and anticipated lifetime needs to be kept in mind. As is the case for electronic passport chips, there is often a span of ten to fifteen years between the design and end of the product’s lifetime in the field.
Infineon’s own security laboratories therefore focus on researching what will appear next in terms of known or even completely new attack scenarios. Localised attack methods aim at finding secret keys in the very heart of a chip – the CPU. Unencrypted CPUs make access to sensitive data easier; they can be analysed by an attacker using today’s state-of-the-art methods, such as optical emission analysis or electromagnetic emanation attacks. It has been shown that conventional, scenario-specific countermeasures not only drive the cost spiral upwards, and lead to tedious security updates, but also no longer serve the requirements of applications with a high security demand.
The advantages of “Integrity Guard”
“Integrity Guard” offers a multitude of important advantages, which fully pay off in the development of secure products.
Today, providing top-level security often means investing great effort and high costs – not only for the chip manufacturer, but also for the Operating System and application SW developers. Adding security often decreases flexibility in conventional applications or is even decreasing the performance. In Infineon’s security controllers with “Integrity Guard” technology, almost all security features are automated. Infineon theorizes that because of this self-checking (automated) feature there is approximately 30% less development time taken due to less coding requirements. Once again reducing total cost of ownership.
“Customer-friendly security” means that security features are easy to use and ensure confidence along the entire value chain – from chip manufacturer and chip card manufacturer to system integrators and the customer. This customer-friendly security results in significantly lower overall costs over the product life cycle.
Designing with Integrity Guard for a secure solution reduces total cost of ownership through R&D efficiency for application development and so ensuring a shorter time to market for end customer products. Its open architecture will also accommodate future hardware extensions leaving room for expansion of products and their product life spans.
Thanks to their robust design, security chips with “Integrity Guard” technology can also be used in difficult and demanding environments. Their digital features neither have to be adjusted nor calibrated, which makes the chips even more resistant. Conditions that do not directly harm the chip itself will therefore not affect its correct functioning.
Mathematically modelled security
Error-detection codes and digital security features can be mathematically modelled. This facilitates the security evaluation and certification both internally and when performed by third parties.
Security chips with “Integrity Guard” have self-controlling security mechanisms. The most important element is the comprehensive digital error detection over the complete core architecture, including memories, buses, caches, and the dual CPU.
The design of the security chips alone impedes attacks. Full encryption is used for CPU, memories, and buses, covering all stored, processed, and transferred data. These mechanisms are automated and facilitate the software implementation and use.
Accreditation and testing
Integrity Guard security technology has been evaluated by the accredited and internationally recognized TÜViT testing and certification authority.
The Federal Office for Information Security (BSI) confirmed the high security of Infineon’s “Integrity Guard”-based security chips according to “Common Criteria”, the internationally recognized standard for the rigorous assessment and certification of security chips. Furthermore, the security controller meets the security requirements for payment cards from EMVCo (Europay, Mastercard, Visa). More than 20 Common Criteria EAL 6+ Certificates, maintenance certificates or reassessments for security controllers based on Integrity Guard have been achieved.
“Integrity Guard” in end applications
Infineon’s security technology was developed for applications that require particularly high-level data security and resilience for a particularly long term of life. Important application fields for security controllers with “Integrity Guard” include governmental identification documents as well as banking and credit cards. In these fields “Integrity Guard” already today sets the technological standard for chip-based security.
Security controllers are also used increasingly in numerous networked systems such as computers, IT infrastructures, and industrial control systems as well as critical infrastructure systems such as smart grids – where “Integrity Guard” provides the basis for overall system security.
In Germany, “Integrity Guard”-based security chips are, for example, used in the electronic identity and healthcare cards as well as for contactless payment applications like the German Banking Industry Committee’s (Deutsche Kreditwirtschaft) “girocard kontaktlos” project. This project is currently one of Europe’s biggest contactless EMV payment projects.
“Integrity Guard” is one of the world’s most advanced technologies for delivering a particularly high level of long- lasting protection for the data on chip cards. Examples of the data involved in the German eHealth card with six-year validity are the insured person’s name, date of birth, gender and address as well as insurance number and insurance status. As with all “Integrity Guard”-based security microcontrollers, the data on the eHealth card is not only stored in encrypted form but also processed in encrypted form.
The inclusion of secure controllers using “Integrity Guard” means that the eHealth card is already equipped for additional applications that further raise the quality of patient care and the efficiency of treatment. With the insurance holder’s consent, additional personal data can be stored on the card, such as emergency data, essential medication, allergies, drug intolerance or indication of pregnancy.
Infineon has been supplying “Integrity Guard” technology within their family of SLE 78 security microcontrollers for the German eHealth card since 2011 and continues to supply the majority of German eHealth microcontrollers.
Infineon is the only semiconductor manufacture to supply chips to ten of the currently eleven national health card projects in Europe. Apart from German e-health cards, Infineon’s chips are also to be found in the e-health cards of Austria, Belgium, Great Britain (without Ireland), Italy, Poland, Portugal, Slovenia, Spain and Switzerland. Infineon is the global market leader in security chips for e-health cards with a 60% market share.
The security technology “Integrity Guard” deployed in the eHealth card has received multiple technological innovation awards. It won the German Industry’s Innovation Award 2010 and the security industry’s “Sesame Award” 2008 and was nominated for the “Deutscher Zukunftspreis 2012” – the German Federal President’s Award for Innovation and Technology.
“Integrity Guard” puts forward indispensable hardware security features that cannot be implemented effectively in software and gives software providers an efficient environment for truly secure, performance and feature rich applications.
Infineon will have sold more than 1.500.000.000 Mio pieces of “Integrity Guard” products by the end of March 2018.“