Chipmaker licenses portfolio of security patents to protect smart cards
- By William Jackson
- Aug 15, 2008
Infineon Technologies AG, a major supplier of semiconductor chips for the smart card industry and for electronic documents such as U.S. passports, has licensed a portfolio of patented technology for differential power analysis countermeasures to from Cryptography Research Inc. of San Francisco.
The deal, which applies to existing Infineon chips as well as to new purchases, will let any Infineon customers use the security tools without additional fees.
'All the licensing issues are taken care of,' said CRI president Paul Kocher. 'It simplifies the process of buying and deploying DPA countermeasures.'
Chips in smart cards and other documents often contain sensitive information that is cryptographically protected. Differential power analysis is a technique for discovering the cryptographic keys by monitoring variations in a device's electrical power consumption and using statistical methods to separate the key from background noise. CRI uses several techniques to thwart the attacks, including hardware modifications that reduce the power of signals leaking from an active chip and mask them from filtering, and software to randomize the keys while still operating within industry standards so that data from different transaction cannot be combined to reveal keys.
Most customers will get the protection built into the chips from the manufacturer or reseller, Kocher said, although some prefer to add it to chips themselves. Either process is covered under the license.
CRI claims patent protection for a broad range of anti-DPA technology, which the company says effectively covers any practical on-chip solution. Kocher said the company now has one patent infringement suit in progress but that a number of companies are using technology for which CRI claims protection. The Infineon deal removes any patent concerns for Infineon customers who want to protect cards and documents against DPA attacks, he said.
'Infineon is the first major licensee in the smart card industry,' he said. 'That is pretty significant. The smart card industry is a high-volume business where security is important.'
The licensing agreement also covers CRI's CryptoFirewall, which provides an extension to reinforce access control systems and hardware-based authentication.
Infineon is one of the world's largest producers of chips, having shipped 842 million of them in 2006, according to Frost and Sullivan. In 2006, the company announced a multimillion-piece purchase order of chips for U.S. electronic passports. The chips contain an encrypted copy of the printed information on the passport, including the bearer's name, date of birth, validity period and a digital photo. The cards are intended to be machine readable from a distance of about four inches and use Basic Access Control, which requires a secret key to access data. But there have been complaints about security weaknesses in the documents and the use of DPA countermeasures could add another layer of security.
The Infineon deal simplifies licensing the technology for passports, Kocher said.
'The process of licensing to the government is quite convoluted,' he said. By licensing directly with the manufacturer, 'we'll get a lower price per unit, but it makes things easier for the customer and easier for us.'
William Jackson is a Maryland-based freelance writer.