Secure transaction microcontroller with secure boot loader

US 7,343,496 B1
Filed: 08/13/2004
Issued: 03/11/2008
Est. Priority Date: 08/13/2004
Status: Expired

First Claim

Patent Images

1. An integrated circuit, comprising:

a processor;

a first amount of memory that stores a boot loader program;

a second amount of memory that stores an encryption key; and

tamper control circuitry that causes the encryption key to be erased before the boot loader program can be executed.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A high security microcontroller (such as in a point of sale terminal) includes tamper control circuitry for detecting vulnerability conditions: a write to program memory before the sensitive financial information has been erased, a tamper detect condition, the enabling of a debugger, a power-up condition, an illegal temperature condition, an illegal supply voltage condition, an oscillator fail condition, and a battery removal condition. If the tamper control circuitry detects a vulnerability condition, then the memory where the sensitive financial information could be stored is erased before boot loader operation or debugger operation can be enabled. Upon power-up if a valid image is detected in program memory, then the boot loader is not executed and secure memory is not erased but rather the image is executed. The tamper control circuitry is a hardware state machine that is outside control of user-loaded software and is outside control of the debugger.

135 Citations

22 Claims

1. An integrated circuit, comprising:
- a processor;
  
  a first amount of memory that stores a boot loader program;
  
  a second amount of memory that stores an encryption key; and
  
  tamper control circuitry that causes the encryption key to be erased before the boot loader program can be executed.
- View Dependent Claims (2, 3, 5, 6, 7, 8, 9, 10)
- - 2. The integrated circuit of claim 1, further comprising:
    - program memory, wherein the tamper control circuitry detects a write to the program memory and in response thereto causes the encryption key to be erased from the second amount of memory.
  - 3. The integrated circuit of claim 1, wherein the tamper control circuitry detects a power-up condition and in response thereto causes the encryption key to be erased from the second amount of memory.
  - 5. The integrated circuit of claim 1, wherein the tamper control circuitry detects an illegal temperature range condition and in response thereto causes the encryption key to be erased from the second amount of memory.
  - 6. The integrated circuit of claim 1, further comprising:
    - a tamper detect terminal, wherein the tamper control circuitry reads a tamper condition from the tamper detect terminal and in response thereto causes the encryption key to be erased from the second amount of memory.
  - 7. The integrated circuit of claim 1, wherein the tamper control circuitry is a hardware state machine that does not execute instructions.
  - 8. The integrated circuit of claim 1, wherein the second amount of memory is battery-powered random access memory (RAM).
  - 9. The integrated circuit of claim 1, wherein the integrated circuit is part of a point of sale terminal.
  - 10. The integrated circuit of claim 1, wherein the integrated circuit is part of a point of sale terminal, the point of sale terminal having a serial port, and wherein the boot loader program is operable to cause a program to be loaded into the point of sale terminal through the serial port.

4. An integrated circuit, comprising:
- a processor;
  
  a first amount of memory that stores a boot loader program;
  
  a second amount of memory that stores an encryption key;
  
  tamper control circuitry that causes the encryption key to be erased before the boot loader program can be executed; and
  
  a debugger that can be enabled and disabled, wherein the tamper control circuitry detects an enabling of the debugger and in response thereto causes the encryption key to be erased from the second amount of memory.

11. An integrated circuit, comprising:
- a processor;
  
  a first amount of memory that stores a boot loader program;
  
  a second amount of memory that stores an encryption key;
  
  tamper control circuitry that causes the encryption key to be erased before the boot loader program can be executed; and
  
  program memory, wherein the tamper control circuitry in response to a power-up condition determines whether a valid image is present in the program memory, and wherein if a valid image is determined to be present in program memory then the tamper control circuitry does not cause the key to be erased but rather causes the image to be executed by the processor.

12. A method, comprising:
- (a) detecting a vulnerability condition on a microcontroller, the microcontroller storing an encryption key;
  
  (b) in response to said detecting in (a) automatically erasing said encryption key; and
  
  (c) only after said encryption key is erased in (b) executing a boot loader program on the microcontroller, wherein the boot loader program is stored on the microcontroller.
- View Dependent Claims (13, 15, 17, 18)
- - 13. The method of claim 12, wherein the microcontroller is part of a point of sale terminal, and wherein the vulnerability condition is taken from the group consisting of:
    - a tamper detect condition, a battery removal condition, an illegal temperature condition, and an illegal supply voltage condition.
  - 15. The method of claim 12, wherein the microcontroller includes a memory that stores credit card numbers, the encryption key also being stored in the memory, and wherein the entire memory is erased in (b).
  - 17. The method of claim 12, wherein the microcontroller includes a non-volatile bit, the method further comprising:
    - (d) setting the non-volatile bit in response to said detecting in (a) and prior to the execution of the boot loader program in (c).
  - 18. The method of claim 17, wherein the vulnerability condition is a tamper detect condition, wherein the microcontroller includes a memory, and wherein the boot loader program is not executed after a power-up condition if a valid program image is detected to be present in the memory in the microcontroller.

14. A method, comprising:
- (a) detecting a vulnerability condition on a microcontroller, the microcontroller storing an encryption key;
  
  (b) in response to the detecting in (a) automatically erasing the encryption key; and
  
  (c) only after the encryption key is erased in (b) executing a boot loader program on the microcontroller, wherein the boot loader program is stored on the microcontroller, wherein the microcontroller is part of a point of sale terminal, and wherein the vulnerability condition is an enabling of a debugger of the microcontroller.

16. A method, comprising:
- (a) detecting a vulnerability condition on a microcontroller, the microcontroller having a debugger and storing an encryption key;
  
  (b) in response to the detecting in (a) automatically erasing the encryption key;
  
  (c) only after the encryption key is erased in (b) executing a boot loader program on the microcontroller, wherein the boot loader program is stored on the microcontroller; and
  
  (d) disabling the debugger in response to the detecting in (a) and prior to the execution of the boot loader program in (c).

19. An integrated circuit, comprising:
- a processor;
  
  a first amount of memory that stores an encryption key;
  
  a second amount of memory that stores a boot loader program; and
  
  means for detecting a vulnerability condition and in response thereto automatically erasing the encryption key from the first amount of memory before the boot loader program can be executed by the processor.
- View Dependent Claims (20, 21)
- - 20. The integrated circuit of claim 19, wherein the vulnerability condition is taken from the group consisting of:
    - a tamper detect condition, an illegal temperature detect condition, an illegal voltage supply condition.
  - 21. The integrated circuit of claim 19, wherein the integrated circuit can also store a second program, and wherein the means is also for making a determination whether the second program is valid and if the second program is determined to be valid then not automatically executing the boot loader program but rather executing the second program whereas if the second program is determined to be invalid or if there is no valid program stored in the integrated circuit then automatically executing the boot loader program.

22. An integrated circuit, comprising:
- a processor;
  
  a first amount of memory that stores an encryption key;
  
  a second amount of memory of memory that stores a boot loader program; and
  
  means for detecting a vulnerability condition and in response thereto automatically erasing the encryption key from the first amount of memory before the boot loader program can be executed by the processor, wherein the integrated circuit includes a debugger, and wherein the debugger is not usable to stop said erasing of the encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Maxim Integrated Products, Inc. (Analog Devices, Inc.)
Original Assignee
ZiLOG Incorporated (Littelfuse Incorporated)
Inventors
Chock, Raymond O., Hess, Mark, Hsiang, Peter C.
Primary Examiner(s)
Prieto; Beatriz
Assistant Examiner(s)
Armouche; Hadi S

Application Number

US10/918,272
Time in Patent Office

1,306 Days
Field of Search

713/194, 713200-201, 713/187, 713 34- 36, 257/922, 380/1, 380/25, 380/30, 708/491, 340/539.1, 361/654, 361/672
US Class Current

713/194
CPC Class Codes

G06F 21/572   Secure firmware programming...

G06F 21/71   to assure secure computing ...

G06F 21/86   Secure or tamper-resistant ...

G06F 2221/2143   Clearing memory, e.g. to pr...

G06Q 20/20   Point-of-sale [POS] network...

G07F 19/207   Surveillance aspects at ATMs

G07F 9/105   Heating or cooling means, f...

Y10S 257/922   with means to prevent inspe...

Secure transaction microcontroller with secure boot loader

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

135 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Secure transaction microcontroller with secure boot loader

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

135 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links