USRE47621EExpiredUtility

Secure transaction microcontroller with secure boot loader

53
Assignee: MAXIM INTEGRATED PRODUCTSPriority: Aug 13, 2004Filed: Jun 22, 2016Granted: Sep 24, 2019
Est. expiryAug 13, 2024(expired)· nominal 20-yr term from priority
G07F 19/207G06F 21/86G06Q 20/20G07F 9/105G06F 21/572Y10S257/922G06F 2221/2143G06F 21/71
53
PatentIndex Score
0
Cited by
50
References
75
Claims

Abstract

A high security microcontroller (such as in a point of sale terminal) includes tamper control circuitry for detecting vulnerability conditions: a write to program memory before the sensitive financial information has been erased, a tamper detect condition, the enabling of a debugger, a power-up condition, an illegal temperature condition, an illegal supply voltage condition, an oscillator fail condition, and a battery removal condition. If the tamper control circuitry detects a vulnerability condition, then the memory where the sensitive financial information could be stored is erased before boot loader operation or debugger operation can be enabled. Upon power-up if a valid image is detected in program memory, then the boot loader is not executed and secure memory is not erased but rather the image is executed. The tamper control circuitry is a hardware state machine that is outside control of user-loaded software and is outside control of the debugger.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. An integrated circuit, comprising:
 a processor; 
 a first amount of memory that stores a boot loader program; 
 a second amount of memory that stores an encryption key; and 
 tamper control circuitry that causes the encryption key to be erased before the boot loader program can be executed. 
 
     
     
       2. The integrated circuit of  claim 1 , further comprising:
 program memory, wherein the tamper control circuitry detects a write to the program memory and in response thereto causes the encryption key to be erased from the second amount of memory. 
 
     
     
       3. The integrated circuit of  claim 1 , wherein the tamper control circuitry detects a power-up condition and in response thereto causes the encryption key to be erased from the second amount of memory. 
     
     
       4. An integrated circuit, comprising:
 a processor; 
 a first amount of memory that stores a boot loader program; 
 a second amount of memory that stores an encryption key; 
 tamper control circuitry that causes the encryption key to be erased before the boot loader program can be executed; and 
 a debugger that can be enabled and disabled, wherein the tamper control circuitry detects an enabling of the debugger and in response thereto causes the encryption key to be erased from the second amount of memory. 
 
     
     
       5. The integrated circuit of  claim 1 , wherein the tamper control circuitry detects an illegal temperature range condition and in response thereto causes the encryption key to be erased from the second amount of memory. 
     
     
       6. The integrated circuit of  claim 1 , further comprising:
 a tamper detect terminal, wherein the tamper control circuitry reads a tamper condition from the tamper detect terminal and in response thereto causes the encryption key to be erased from the second amount of memory. 
 
     
     
       7. The integrated circuit of  claim 1 , wherein the tamper control circuitry is a hardware state machine that does not execute instructions. 
     
     
       8. The integrated circuit of  claim 1 , wherein the second amount of memory is battery-powered random access memory (RAM). 
     
     
       9. The integrated circuit of  claim 1 , wherein the integrated circuit is part of a point of sale terminal. 
     
     
       10. The integrated circuit of  claim 1 , wherein the integrated circuit is part of a point of sale terminal, the point of sale terminal having a serial port, and wherein the boot loader program is operable to cause a program to be loaded into the point of sale terminal through the serial port. 
     
     
       11. An integrated circuit, comprising:
 a processor; 
 a first amount of memory that stores a boot loader program; 
 a second amount of memory that stores an encryption key; 
 tamper control circuitry that causes the encryption key to be erased before the boot loader program can be executed; and 
 program memory, wherein the tamper control circuitry in response to a power-up condition determines whether a valid image is present in the program memory, and wherein if a the valid image is determined to be present in the program memory then the tamper control circuitry does not cause the encryption key to be erased but rather causes the valid image to be executed by the processor. 
 
     
     
       12. A method, comprising:
 (a) detecting a vulnerability condition on a microcontroller, the microcontroller storing an encryption key; 
 (b) in response to said detecting in (a) automatically erasing said encryption key; and 
 (c) only after said encryption key is erased in (b) executing a boot loader program on the microcontroller, wherein the boot loader program is stored on the microcontroller. 
 
     
     
       13. The method of  claim 12 , wherein the microcontroller is part of a point of sale terminal, and wherein the vulnerability condition is taken from the group consisting of: a tamper detect condition, a battery removal condition, an illegal temperature condition, and an illegal supply voltage condition. 
     
     
       14. A method, comprising:
 (a) detecting a vulnerability condition on a microcontroller, the microcontroller storing an encryption key: 
 (b) in response to the detecting in (a) automatically erasing the encryption key; and 
 (c) only after the encryption key is erased in (b) executing a boot loader program on the microcontroller, wherein the boot loader program is stored on the microcontroller, wherein the microcontroller is part of a point of sale terminal, and wherein the vulnerability condition is an enabling of a debugger of the microcontroller. 
 
     
     
       15. The method of  claim 12 , wherein the microcontroller includes a memory that stores credit card numbers, the encryption key also being stored in the memory, and wherein the entire memory is erased in (b). 
     
     
       16. A method, comprising:
 (a) detecting a vulnerability condition on a microcontroller, the microcontroller having a debugger and storing an encryption key: 
 (b) in response to the detecting in (a) automatically erasing the encryption key; 
 (c) only after the encryption key is erased in (b) executing a boot loader program on the microcontroller, wherein the boot loader program is stored on the microcontroller; and 
 (d) disabling the debugger in response to the detecting in (a) and prior to the execution of the boot loader program in (c). 
 
     
     
       17. The method of  claim 12 , wherein the microcontroller includes a non-volatile bit, the method further comprising:
 (d) setting the non-volatile bit in response to said detecting in (a) and prior to the execution of the boot loader program in (c). 
 
     
     
       18. The method of  claim 17 , wherein the vulnerability condition is a tamper detect condition, wherein the microcontroller includes a memory, and wherein the boot loader program is not executed after a power-up condition if a valid program image is detected to be present in the memory in the microcontroller. 
     
     
       19. An integrated circuit, comprising:
 a processor; 
 a first amount of memory that stores an encryption key; 
 a second amount of memory that stores a boot loader program; and 
 means for detecting a vulnerability condition and is response thereto automatically erasing the encryption key from the first amount of memory before the boot loader program can be executed by the processor. 
 
     
     
       20. The integrated circuit of  claim 19 , wherein the vulnerability condition is taken from the group consisting of: a tamper detect condition, an illegal temperature detect condition, an illegal voltage supply condition. 
     
     
       21. The integrated circuit of  claim 19 , wherein the integrated circuit can also store a second program, and wherein the means is also for making a determination whether the second program is valid and if the second program is determined to be valid then not automatically executing the boot loader program but rather executing the second program whereas if the second program is determined to be invalid or if there is no valid program stored in the integrated circuit then automatically executing the boot loader program. 
     
     
       22. An integrated circuit, comprising:
 a processor; 
 a first amount of memory that stores an encryption key: 
 a second amount of memory of memory that stores a boot loader program; and 
 means for detecting a vulnerability condition and in response thereto automatically erasing the encryption key from the first amount of memory before the boot loader program can be executed by the processor, wherein the integrated circuit includes a debugger, and wherein the debugger is not usable to stop said erasing of the encryption key. 
 
     
     
       23. The integrated circuit of claim 1 further comprising:
 a first oscillator coupled to the processor, the first oscillator generates a first signal from which a system clock is derived; and   a second oscillator coupled to the tamper control circuitry, the second oscillator generates a second signal to detect a tamper event.   
     
     
       24. The integrated circuit of claim 23 wherein the second oscillator is coupled to a real time clock, an output of the real time clock is monitored to detect the tamper event. 
     
     
       25. The integrated circuit of claim 24 wherein the output of the real time clock is used to detect a temperature variation indicative of the tamper event. 
     
     
       26. The integrated circuit of claim 1 further comprising at least one temperature sensor coupled to the tamper control circuitry, the at least one temperature sensor detects a temperature variation associated indicative of the tamper event. 
     
     
       27. The integrated circuit of claim 26 wherein an output of the at least one temperature sensor is compared to a threshold temperature value to identify the tamper event. 
     
     
       28. The integrated circuit of claim 27 wherein the threshold temperature value is programmable. 
     
     
       29. The integrated circuit of claim 1 further comprising at least one voltage sensor coupled to the tamper control circuitry, the at least one voltage sensor detects a voltage variation indicative of the tamper event. 
     
     
       30. The integrated circuit of claim 29 wherein an output of the at least one voltage sensor is compared to a threshold voltage value to identify the tamper event. 
     
     
       31. The integrated circuit of claim 1 further comprising a plurality of serial ports, at least one of the ports within the plurality of serial ports interfaces with an external device in accordance with a Serial Peripheral Interface protocol. 
     
     
       32. The integrated circuit of claim 1 wherein the first amount of memory comprises a Read Only Memory. 
     
     
       33. The integrated circuit of claim 1 wherein the second amount of memory comprises a plurality of registers within the integrated circuit. 
     
     
       34. The integrated circuit of claim 1 wherein the second amount of memory comprises a RAM memory. 
     
     
       35. The integrated circuit of claim 1 wherein the second amount of memory comprises a Flash memory. 
     
     
       36. The integrated circuit of claim 1 further comprising program memory coupled to the first amount of memory, the program memory stores an image of the boot loader program prior to execution. 
     
     
       37. The integrated circuit of claim 1 wherein an image of the boot loader program is subject to a validation process to identify a tamper event and execution of the boot loader program is performed only after the image is validated. 
     
     
       38. The integrated circuit of claim 37 wherein the validation process comprises a CRC check. 
     
     
       39. The integrated circuit of claim 37 wherein the encryption key is erased in response to a failure of the image to be validated. 
     
     
       40. The integrated circuit of claim 36 wherein the program memory comprises Flash memory. 
     
     
       41. The integrated circuit of claim 36 wherein the program memory comprises RAM memory. 
     
     
       42. The integrated circuit of claim 1 further comprising a bridge coupled between a first bus and a second bus, the bridge providing an interface between the first and second buses. 
     
     
       43. The integrated circuit of claim 42 wherein the first bus is an Advanced Microcontroller Bus and the second bus is an Advanced Peripheral Bus. 
     
     
       44. The integrated circuit of claim 1 further comprising a debug interface coupled to the processor and the tamper control circuitry, the debug interface provides external access to at least a portion of the integrated circuit during a test procedure. 
     
     
       45. The integrated circuit of claim 44 wherein the debug interface is a JTAG port. 
     
     
       46. The integrated circuit of claim 1 further comprising a backup battery coupled to a battery interface, the backup battery provides power to at least a portion of the integrated circuit if power is lost from a primary power source. 
     
     
       47. The integrated circuit of claim 46 wherein the backup battery is coupled to the tamper control circuitry. 
     
     
       48. The integrated circuit of claim 1 further comprising a UART coupled to at least one interface that allows communication with an external device. 
     
     
       49. The integrated circuit of claim 1 further comprising a secure memory coupled to the tamper control circuitry, the secure memory stores sensitive data. 
     
     
       50. The integrated circuit of claim 49 wherein the secure memory is located within the integrated circuit. 
     
     
       51. The integrated circuit of claim 49 wherein the secure memory stores at least one type of data selected from a group consisting of encryption keys, passwords and account numbers. 
     
     
       52. The integrated circuit of claim 1 wherein the integrated circuit operates in a plurality of modes, a first mode having limited access rights and functionality compared to a second mode within the plurality of modes. 
     
     
       53. The integrated circuit of claim 1 further comprising a network interface, the network interface allows secure transmission of data to a third party across a network. 
     
     
       54. The integrated circuit of claim 1 further comprising a user authentication interface that authenticates a user to a session. 
     
     
       55. The integrated circuit of claim 54 wherein the user authentication interface receives a user signature. 
     
     
       56. The integrated circuit of claim 54 wherein the user authentication interface receives a password. 
     
     
       57. The integrated circuit of claim 4 further comprising at least one temperature sensor coupled to the tamper control circuitry, the at least one temperature sensor detects a temperature variation associated indicative of a tamper event. 
     
     
       58. The integrated circuit of claim 57 wherein an output of the at least one temperature sensor is compared to a threshold temperature value to identify the tamper event. 
     
     
       59. The integrated circuit of claim 4 further comprising at least one voltage sensor coupled to the tamper control circuitry, the at least one voltage sensor detects a voltage variation associated indicative of a tamper event. 
     
     
       60. The integrated circuit of claim 59 wherein an output of the at least one voltage sensor is compared to a threshold voltage value to identify the tamper event. 
     
     
       61. The integrated circuit of claim 4 wherein the second amount of memory comprises a plurality of registers within the integrated circuit. 
     
     
       62. The integrated circuit of claim 4 wherein the second amount of memory comprises a RAM memory. 
     
     
       63. The integrated circuit of claim 4 wherein the second amount of memory comprises a Flash memory. 
     
     
       64. The integrated circuit of claim 4 further comprising program memory coupled to the first amount of memory, the program memory stores an image of the boot loader program prior to execution. 
     
     
       65. The integrated circuit of claim 4 wherein an image of the boot loader program is subject to a validation process to identify a tamper event and execution of the boot loader program is performed only after the image is validated. 
     
     
       66. The integrated circuit of claim 65 wherein the validation process comprises a CRC check. 
     
     
       67. The integrated circuit of claim 65 wherein the encryption key is erased in response to a failure of the image to be validated. 
     
     
       68. The integrated circuit of claim 64 wherein the program memory comprises Flash memory. 
     
     
       69. The integrated circuit of claim 64 wherein the program memory comprises RAM memory. 
     
     
       70. The integrated circuit of claim 4 further comprising a backup battery coupled to a battery interface, the backup battery provides power to at least a portion of the integrated circuit if power is lost from a primary power source. 
     
     
       71. The integrated circuit of claim 70 wherein the backup battery is coupled to the tamper control circuitry. 
     
     
       72. The integrated circuit of claim 11 further comprising at least one temperature sensor coupled to the tamper control circuitry, the at least one temperature sensor detects a temperature variation associated indicative of a tamper event. 
     
     
       73. The integrated circuit of claim 11 further comprising at least one voltage sensor coupled to the tamper control circuitry, the at least one voltage sensor detects a voltage variation associated indicative of a tamper event. 
     
     
       74. The integrated circuit of claim 11 wherein the second amount of memory comprises a plurality of registers within the integrated circuit. 
     
     
       75. The integrated circuit of claim 11 wherein the encryption key is erased in response to a check of the valid image failing.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.