WO1991009484A1

WO1991009484A1 - A security circuit for mobile radio telephones as well as a method to be used in connection with the circuit

Info

Publication number: WO1991009484A1
Application number: PCT/DK1990/000326
Authority: WO
Inventors: Jens Jakobsen; Bent Dahl
Original assignee: Cetelco Cellular Telephone Company A/S
Priority date: 1989-12-11
Filing date: 1990-12-11
Publication date: 1991-06-27
Also published as: DK624489D0; DK624489A; AU7038391A

Abstract

A security circuit for an NMT-mobile radio telephone using SIS (Subscribers Identity Security) comprising a single chip with a CPU and associated memories, wherein the memories storing the authentication key (SAK) for the SIS are divided into accessible areas (202, 206, 208, 222) and nonaccessible areas (220, 204), to which access is allowed only by CPU instructions fetched from a ROM (202) containing internal code enabling reading of the SAK in the secret areas (204), when a call from a subscriber is processed. The new circuit renders it possible to maintain the secrecy of the SAK even though the CPU is connected to external data equipment (130, 140).

Description

Title: A. Security Circuit For Mobile Radio Telephones as well as a Method to be Used in Connection With the Circuit

Technical Field

The present invention relates to a security circuit of the type stated in the preamble of claim 1.

Background Art

A security system is known in connection with mobile radio telephones, said system being called "SIS", i.e. Subscriber Identity Security. SIS was developed in order to prevent misuse of telephone numbers within NMT (Northern Mobile Telephones). By the SIS system, a base station, i.e. an exchange for mobile radio telephones, requires authentication of the calling mobile radio telephone MT, and for this purpose a secret authentication key SAK has been programmed in all the mobile radio telephones using the SIS system. The SAK comprises 120 bits divided into six blocks. It is a condition for the security that the key is secret, and accordingly it is stored in an EEFROM in a single chip ASIC-design subsequently referred to as DAPC. The secret key, i.e. the SAK, is produced by a random generator and is programmed in the DAPC during the production together with the reference number of the telephone, said reference number including information on the manufacturer, the date and the sequence number of the day. The combination of SAK and the reference number is applied in encrypted form to the postal and telegraph services or a corresponding Authority in the country in question, and as the programming and the encrypting are simultaneously performed during the production, not even the manufacturer is aware of the value of the SAK.

When a customer has received a mobile radio telephone, the reference number of said mobile radio telephone is used for applying for a telephone number with the postal and telegraph services. The postal and telegraph services combine the new telephone number with the associated SAK storing the telephone number and the associated SAK in a memory in the base station, whereafter the mobile radio telephone protected by the security system is ready for use.

When a mobile radio telephone subsequently calls a mobile base station, i.e.. a Mobile Telephone eXchange MTX, i.e. a radio station comprising a telephone exhange linked with the public telephone network and provided with the SIS system, the telephone number is applied as authentication. Subsequently, MTX transmits a "random challenge" consisting of 28 bits in two portions. The DAPC of the mobile radio telephone combines the 28 bits with its secret authentication key SAK by means of a so-called SIS-algorithm specified by the SIS system. Having performed a complicated calculation, the DAPC ends up with a 16 bits result called a "signed response" which is returned to the base station MTX. As the SIS-algorithm as well as the secret key SAK of the telephone number in question has been stored in the MTX, said MTX can concurrently perform the same calculation in order to compare the results. In this manner, only the subscribers presenting the correct telephone number are accepted and allowed to make a call. The probability of a dishonest user ending up with a correct result has been estimated to 1/65,000.

In addition to the calculation of a signed response, it is also possible to demand that the dialled number is encrypt- ed by means of some intermediate calculations resulting from said calculation, and the probability of a dishonest user succeeding therein is approximately 1/16,000,000. It is considered impossible to calculate the SAK of a mobile radio telephone by listening in on the communication of "random challenge" and "signed response". The SIS system has been described in "Specification for NMT-SIS key management in NMT-900" and "SIS addendum to NMT doc 900-1" available from the NMT group.

As it appears from the above, it is of vital importance for the SIS-system that the SAK is kept secret. A solution may be to accomodate the SAK and the CPU calculating the signed response on one and the same chip in a sealed package.

It is the intention to use the CPU for other tasks not mentioned in the present application. The capability of solving other tasks requires, however, a possibility of linking an external program memory as well as a possibility of connecting a main processor capable of controlling the operation of the DAPC through a command interface. The demand for allowing use of the CPU for other tasks causes, however, the following problems:

1) When address/data bus is external, it is possible to read the value of any desired byte by trigging the address bus. 2) When it is possible to link an external program memory, it is, however, possible to produce a program printing out the SAK.

3) It is also possible through the command interface to instruct the DAPC to read the SAK and to return it through said interface.

4) During a SIS calculation, it is possible to interrupt the processor and let the interrupt handler dump the RAM. The RAM includes a number of (intermediate) calculations possibly enabling a programmer to deduce the SAK .

Disclosure of Invention

The object of the invention is to provide a security circuit ensuring that the SAK key remains secret even though the chip is connected with external data processing equipment.

A security circuit according to the invention is characterised in that the data memory is divided into an accessible area and a closed nonaccessible area, that the authentication key has been written in the closed nonaccessible area, that only the nonerasable read only memory includes routines, so-called "internal code", enabling a reading of the closed nonaccessible area, that disabling circuits are provided which produce a protection signal disabling access to the closed area for all instructions not fetched from the nonerasable read only memory and only allowing access for instructions from said area, that the CPU, the nonerasable read only memory, the closed area, the internal random access memory, and an internal data bus, and an address bus for interconnection thereof, as well as address circuits and circuits for the protection of the authentication key are accomodated on the single chip and are connected to an external memory through an external data bus and address bus located outside the single chip. As a result, the authentication key remains secret to all external calls at the same time as the CPU is connected with an external data bus and an external data memory allowing use of said CPU for other tasks beyond the primary task defined in the preamble of claim 1. The circuit is preferably such that the nonerasable read only memory is a mask-programmed ROM including the SIS- algorithm as well as routines allowing reading and writing in the closed areas, and such that the access areas include the ROM, the internal random access memory and an external memory, as well as such that the closed area includes an EEPROM. The use of an EEPROM for storing the SAK key ensures that the key is stored independent of a possible power failure because an EEPROM is a nonvolatile memory. Furthermore, as all the calls for the SAK key in the EEPROM must be performed through the nonerasable ROM, which in advance only includes the legal routines, it is ensured that only the predetermined legal calls to the SAK key are allowed.

The security system comprises preferably a circuit providing an EEPROM protection signal (EE_PROT) protecting the closed area of the memory, in which the secret key is stored, where the signal can be caused to assume a first value causing a blocking of the access to the closed area of the memory, and a second value allowing a direct access to the area. The EEPROM protection signal renders it possible to control the access to the EEPROM in such a manner that access is only allowed when the protection signal indicates that said access is allowable.

The EEPROM protection signal is preferably provided as a logic function of a security control signal (NV_PROT), the logic state of which determines whether the security system is activated, and a "LOAD INSTRUCTION REGISTER"- signal indicating that the CPU fetches instruction, as well as an address-decoder signal showing if the last instruction was fetched from the read only memory. In this manner it is obtained that 1) the security system can be activated by an activating control signal, 2) that the protection signal only allows access to the EEPROM on the basis of Instructions read in the read only memory.

The security control signal (NV_PROT) is preferably provided as a logic function of data loaded on a predetermined address and a test signal, and that the predetermined address is used for activating the clock input of a flip- flop receiving on its D-input the data stored on the address. In this manner it is possible under certain exceptional circumstances to interrupt the security system, viz. 1) while the chip Including the security circuit is still open, I.e. at the chip producer before it is packed and sealed, and 2) during the programming of the sealed chip with the secret key, e.g. at the telephone producer.

An EEPROM access signal is preferably provided as a logic function of an address bit and the EEPROM protection signal, whereby access to the EEPROM has been made dependent on the EEPROM protection signal.

According to the invention, internal code in the read only memory includes routines causing the calculation of the signed response to be performed such that intermediate calculations during the calculation are stored only in a predetermined area of the internal random access memory, and that a RAM protection signal by an internal code in the read only memory is set to a predetermined value at the beginning of the calculation of a response signal (signed response) and is not reset until the calculation has been completed and all the intermediate calculations have been erased, whereby it is possible to prevent/disable access to said predetermined area during calculation of the "signed response", and that a RAM access signal is provided by circuits as a logic function of address bits, the EEPROM protection signal and the RAM protection signal, whereby access to the RAM is allowed when the address is in the always open area of the RAM, i.e. outside the predetermined area for storage of intermediate calculations, or when the EEPROM protection signal indicates that the instruction is fetched from the read only memory, or when the RAM protection signal indicates that confidential information are not stored in the RAM.

Thus the logic state of the RAM protection signal indicates whether the RAM includes intermediate calculations which should be handled confidentially, and the RAM protection signal is used for the generation of a RAM access signal. It is hereby possible to prevent illegal access to the RAM by unauthorized persons trying to derive information on the secret SAK key.

The circuit providing the EEPROM protection signal may preferably be as stated in claim 8, and the access to the EEPROM is preferably controlled by access signals depending on the EEPROM protection signal as indicated in claim 9. The security circuit comprises according to the invention an address-dependent circuit for the control of a tristate logic of the external data bus. This circuit has the effect that only data in the external memory are visible. Thereby it is avoided that confidential data become available through the external data bus.

The security circuit comprises preferably a circuit assisting in producing two output signals MEMBR_ENb and MEMW_ENb controlling the flow of data to and from the external data bus, said circuit causing that access to the data bus is only allowed provided address-decoding circuits indicate that the requested address is found in the external memory.

The security circuit comprises preferably a logic gate which combines the output signal of the circuit with a test signal TEST_PADb on a connecting conductor from a test terminal TEST_PAD with the effect that data are visualized on the external data bus. As a result, it is possible for a chip manufacturer to follow data on the external data bus during test of a chip, that is irrespective of the memory the data are fetched from because the test pad not being bonded renders it possible to temporarily interrupt the security system, i.e. only while the chip has not yet been packed and sealed.

According to the invention the security circuit comprises an address circuit producing a SAK- area signal SAK_AREA indicating whether the requested address is found in the particular area of the memory in which the secret key is stored, and that both the SAK-area signal SAK_AREA and the security control signal NV_PROT have been transferred to a logic gate (not shown) with an output controlling the high-voltage generator of the EEPROM in such a manner that it is impossible to enter data into the SAK area when the security control signal NV_PROT indicates that the security system is operating. In this manner it is ensured that the secret key cannot be overwritten in case of a possible CPU crash.

The invention relates furthermore to a method of inserting a secret key into a security circuit as stated in claim 14. As a result, the insertion can be performed with the security attached to the key being beyond doubt. Simultaneously it is ensured that the security system can never be interrupted once the key has been inserted by the prescribed method.

Accordingly, a memory and address security system is provided, which in response to the operation being carried out can open or close the external bus system by use of hardware, and which in specific cases disables the EEPROM used for storing the SAK key. Only READ and WRITE instructions from internal code in the ROM are allowed access to the closed areas. Any external code trying to obtain direct access to the closed areas is rejected. In other words, external code can only obtain access to a closed area through calls to internal code in the ROM.

Brief Description of Drawing

The invention is described in greater detail below with reference to the accompanying drawing showing a number of diagrammatic views of a preferred embodiment of the invention, and in which

Fig. 1 illustrates a block diagram of a security circuit according to the invention,

Fig. 2 shows a diagram indicating the most essential components of the address security system according to the invention,

Fig. 3 shows a diagram of the most important components of a memory select circuit,

Fug, 4 shows a diagram of the most important components of a RAM select,

Fig. 5 shows a diagram of the most important components for generation of a security signal NV_PROT, and

Fig. 6 shows a draft of the dividing of the memory into accessible and nonaccessible, confidential areas with the associated addresses.

Best Mode for Carrying Out the Invention

The address security system solves three problems - all serving the superior purpose of maintaining the secrecy of the SAK.

1) It ensures that the nonaccessible areas are only accessible through internal code, which is called protection of the memory or memory protection.

2) It ensures that no confidential values, such as intermediate calculations resulting from the calculation of the "signed response", can be traced on the external data bus 190, which is ensured by the data bus buffer being closed, and which is subsequently referred to as trace protection or protection against tracing 186.

3) It protects the secret key SAK against an unintended overwriting in case of a CPU crash, which is called protection against overwriting of SAK or SAK write protection.

A block diagram of an example of a security circuit according to the invention is shown in Fig. 1. The security circuit comprises program and data memories called external code 130 and external data 140 connected by an external data bus 190 and address bus 191 to a single chip 100. The single chip comprises a CPU 150, an address decoder 160, an address security circuit 170, a ROM 202, an EEPROM 204, and a RAM 208 interconnected through an internal address bus 192 and data bus 194. The single chip comprises furthermore a trace protection 186 preventing protected data from being traced through the external data bus.

Protection of the memory

The basis of the new memory address security system is a dividing of the memory into a closed, confidential area only accessible under particular circumstances, and an open, generally accessible area. Fig. 6 illustrates the memory map 200 of the DAPC and indicates open, also called "green", and closed, also called "red", areas. Fig. 6 shows furthermore an internal ROM 202 including internal code, an internal EEPROM 204 inter alia including the SAK, an external memory 206 for general use, an open internal RAM 208 with an area 220 which can be closed during calculations of confidential nature, as well as internal memories 222. Internal ROM

As internal code is located in a ROM 202, said code cannot be modified, and accordingly internal code is protected against illegal modifications. The basic idea of the invention is therefore that only internal code in the ROM 202 is allowed access to the closed areas with the confidential data. Internal code in the ROM contains therefore the SIS-algorithm used for calculating the signed response on the basis of the received random challenge. The ROM includes furthermore some routines capable of reading and writing in the closed areas. The reading and writing routines are such that on request by outer so-called external code, they refuse access to the SAK and SIS- intermediate calculations during the calculations. External code may, however, be allowed access to a portion of the closed, "red" area by calling the internal procedures. Only legal procedures, such as writing of the received random challenge, are performed.

Address decoding

Fig. 2 illustrates the most important components of the address security circuit. To the left of the diagram a row of input signals are shown: NV_PROT, LIRb, CLKIN, RAM_PROT, ADDR[0...15], TEST_PADB, PO2 ann RWb. Among these signals, the LIRb, the CLKIN, the PO2, the ADDR[0...15] and the RWb originate from the CPU only shown in Fig. 1. The CPU may be a MOTOROLA 6805 and must be of the type comprising an output indicating that the CPU is reading an instruction. Everywhere in the present specification and the drawings the letter b. or B at the end of the name of a signal means that the signal in question is active when it is low. Thus when low the signal LIRb (LOAD INSTRUCTION REGISTER) indicates that the CPU is reading an instruction, and the signal can be used for detecting the area from where the instruction is fetched by examining the associated address. The signals CLKIN and P02 represent the crystal frequency and half said crystal frequency of the system and are used as clock signals. The structure of the embodiment of Fig. 2 is briefly described below. An AND-gate 21 receives a signal ROMENb and a signal NV_PROT on its two inputs. The output is connected with the D-input of a flip-flop 24, which is a d-type positive edge-trigged flip-flop. A NAND-gate 22 receives on one input the signal CLKIN and on the other input the signal P02, which is a clock s ignal o f half the crys tal frequency . The output of the NAND-gate 22 represents one input of an OR-gate 23, the other input of which receives the signal LIRb. The output of the OR-Gate 23 Is connected with the clock input of the D-flip-flop 24. The Q-output of the flip-flop 24 produces a signal called EE-PROT which is applied to a circuit 25 called a memory select and shown In greater detail in Fig. 3. When LIRb is low, the clock signal from 22 produces a clock pulse on the clock input of DFF 24. As described in greater detail below, the signal NV_PROT is always high when the mobile radio telephone has left the factory.

The upper portion of the circuit of Fig. 2 implies that each time the CPU is reading a new instruction, i.e. when LIRb goes low, the OR-gate 23 goes low too and is thus ready to go high at the next clock pulse. As a consequence thereof, the D-flip-flop 24 sets its Q-output to the logic level of the signal ROM_ENb, i.e. EE_PROT is low when internal code is read in the ROM, and otherwise high. The input signal NV_PROT is, as mentioned, usually high and is an important signal capable of disabling the security system. The production of the above signal is described in greater detail in connection with Fig. 5.

Memory select Fig. 3 illustrates the logic structure of the circuit memory select 25 of Fig. 2. To the left of the Figure, input signals are indicated. When read from above and downwards the input signals include address bits ADDR[0..15], RWb , EE_PROT, RAM_PROT. The circuit comprises an AND-gate 51 receiving on its four inputs the address bits 12, 13, 14, 15, and the output of which is connected with one input of a NAND-gate 52. The output of the NAND- gate 52 is connected with a NOR-gate 53, the output of which produces the output signal SAK_AREA. An inverter 54 receives on its input an address bit 11 also applied to a NAND-gate 55, the output of which produces the output signal ROM_ENb. The output of the inverter 54 is connected with one input of an AND-gate 56, which on its remaining inputs receives address bit 10, 9 and 8. The output of the AND-gate 56 is connected partly with an input of the NAND-gate 52 and partly with an input of a NAND-gate 57. The output of the NAND-gate 57 Is connected with an input of an OR-gate 59, which on its output produces the output signal NV_ENb. Address bits 7, 6, 5 and 4 are applied to the Input of yet another AND-gate 60, the output of which is connected with one input of the NAND-gate 52 as well as to an input of the NAND-gate 57. The address bits 5 and 4 are also applied to an AND-gate 61, the output of which is connected with an OR-gate 62, which on its other input receives the address bit 6 and the output of which is connected with a NAND-gate 63. The bit ADDR7 is also applied to an input of the NAND-gate 63, which furthermore receives input signals from the output of the NAND-gate 51 and from the output of the AND-gate 56. The output of the NAND-gate 63 is connected with an input of an OR-gate 64 and with an input of a NAND-gate 58 which also receives input signals from the NAND-gate 55 and the NAND-gate 57. The OR-gates 59 and 64 receive EE_PROT on their second input. The NAND-gate 58 produces the output signal MEM_ENb, and the OR-gate 59 produces the output signal NV_ENb. The OR-gate 59 produces the output signal NV_ENb, and the OR- gate 64 produces the output signal EE_ENb. The address bits ADDR 0, 1, 2 and 3 are inputs to a NOR-gate 65, the output of which is connected with a second input of the NOR-gate 53 and with an input of the NAND-gate 57.

The circuit "memory select" 25 of Fig. 3 ensures that access is allowed to the desired area in response to the address bits ADDR[0..15] applied to the inputs, where- after the corresponding areas of the memory are enabled by output signals briefly described below. SAK_AREA is high when the address bits are [1111, 0111, 1111,

where MSB (the most significant bit) is stated first and where

all represent combinations except for 0000. SAK_AREA refers to the area of the EEPROM wherein the SAK is stored. ROM_ENb allows the address bits [1111, 1XXX, XXXX, XXXX] ("X" indicates 0 or 1) access to the ROM, said bits making the output of the NAND-gate 55 low. MEM_ENb is low when the address searched for is neither found in ROM nor in EEPROM. NV_ENb is described below. EE_ENb allows access to the EEPROM when the signal is low (the EEPROM is usually a closed area). RAM_EN allows access to the RAM when the signal is high. EE_ENb is low only when EE_PROT is low, which occurs only when ROM_ENb is low during the reading of the latest instruction, i.e. only internal code can READ/WRITE in the EEPROM. The circuit of Fig. 3 is an address decoding circuit completely conventional per se, but it should be appreciated that the EE_PROT signal is applied to the two OR-gates 59 and 64. When EE_PROT is high, the outputs, i.e. NV_ENb and EE_ENb, of the two OR-gates 59 and 64 are high too with the effect that access to the EEPROM is blocked. With the user, i.e. after the mobile radio telephone has left the telephone producer, the EE_PROT signal depends on whether internal code fetched from the ROM or external code fetched from somehwere else is executed. Only for internal code from the ROM, i.e. when ROMENb is low, EE_PROT goes low.

Protection of RAM area

The system includes furthermore a "RAM_select " c ircui t 66 compr is ing addre s s inputs ADDR [ 0 . . 15 ] , an input for the signal EE_PROT and an input for a signal RAM_PROT as well as an output RAM_EN. The circuit 66 is illustrated in detail in Fig. 4.

The RAM_select circuit of Fig. 4 comprises an address comparator 71 with input terminals P connected to address bits 8 - 15. The eight Input terminals Q are grounded like the G-terminal. The output of the address comparator 71 is connected with the first input of a NOR-gate 72, the output of which produces the output signal RAM_EN representing RAM-enable. The input signals EE_PROT and RAM_PROT are applied to an AND-gate 73, the output of which is connected with one input of yet another AND-gate 74 . The output o f the AND - gate 74 i s conne c te d wi th the second input of the NOR-Gate 72. An address bit ADDR7 is applied to one input of a NOR-gate 75, and address bit 6 is applied to one input of an AND-gate 76, and address bits 4 and 5 are applied to the two inputs of an OR-gate 77. The output of the OR-gate 77 is connected with the second input of the AND-gate 76, the output of which in turn is connected with the second input of the NOR-gate 75. The output of the NOR-gate 75 is connected with the third input of the NOR-gate 72. The address bits 6 and 7 are also applied to the two inputs of a NAND-gate 78, the output of which is connected with the second input of the AND-gate 74.

It appears from Fig. 4, that access is allowed to the RAM when said RAM is high, i.e. when all the signals on the input of 72 are low. The first signal is low for P=Q, i.e. when the address bits 8 to 15 equal 0; which applies to all RAM-addresses. The second signal is a combination through the logic gates 73, 78 and 74:

(EE_PROT·RAM_PROT)·(

which equals zero for ADR6, 7 = 1,1, which is the case in the always open area of the RAM.

Clearly the second signal is also 0 when either EE_PROT or RAM_PROT is low (0).

Finally, the third signal is 0,

when ADR7 + (ADR6 - (ADR5+ADR4)) = 1, i.e. if ADR7 - 1 or If ADR6· (ADR50ADR4) = 1, i.e. that ADR6 -1 and ADR4, 5 + 0,0. By comparing the latter with the diagram of addresses of Fig. 6 it appears that when ADR6, 5, 4 ≤ 1,0,0 the operation is carried out in the always open areas, i.e. outside the closed, nonaccessible area of the RAM. Such a circuit is also a logic address circuit conventionally known per se, but the signals EE_PROT and RAM_PROT on the AND-gate 73 are particularly assigned to blocking a predetermined area of the RAM, here the address area from 50-BF during confidential calculations.

When the signal RAM_PROT is high, said signal protects the area 50h-BFh of the RAM, wherein SIS calculations are carried out, against access from the outside. When the CPU uses the RAM for calculating "signed response" to a "random challenge" by means of the SIS - algorithm and the SAK key, internal code of the RAM ensures that the RAM_PROT signal is set high and is not reset until all calculations have been completed and all intermediate calculations have been erased from the RAM. Subsequently, the access to that area of the RAM is restricted to the instructions fetched in the ROM and consequently causing EE_PROT to go low. When RAM_PROT is low, access to the RAM is allowed although EE_PROT is high (active protection), i.e. the RAM can usually be used without restrictions. The RAM is only closed to any operation beyond the secret calculations in the short period at the beginning of a call where the CPU is to calculate signed response. Apart from the above short period, both the RAM and the CPU are available for other tasks.

Insertion of the secret SAK key

The signals NV_ENb and NV_PROT are of particular importance. Fig. 5 shows how the signal NV_ENb assists in producing the signal NV_PROT. In Fig. 5, the signal NV_ENb is received on the input of an inverter 81, the output of which is connected with a NAND-gate 82, the output of which in turn is connected with the clock input of a D-flip-flop 83. The D-flip-flop 83 has a permanently high preset but allows a resetting on the clear input. The Q-output of the D-flip-flop provides one input to an AND-gate 84. The AND-gate 84 receives as a second input the signal TEST_PADb and provides on its output the signal NV_PROT. The D-flip-flop 83 receives D[0] on its D-input, and the NAND-gate 82 receives the signal P02 and RWb on its two other inputs. The flip-flop 83 is reset by a signal RESETb. The protection signal NV_PROT is active, i.e. protecting, when it is high. The output signal from an AND-gate being high is conditioned by both input signals being high. In other words, the protection can be interrupted by applying a low signal to the non-bonded test input or by producing a low output signal on Q-output of the flip-flop, which only occurs when a high signal is loaded to the input. When the D-flip-flop is reset through RESETb, the Q-output changes to high again (protection).

The above circuit renders the following procedure possible for insertion of the secret key. At the factory producing the single chip with CPU, ROM area, RAM area and EEPROM, a value [XXXX..X, 1] is written in a predetermined address NV_ENb (here F7F0) in connection with a final testing of the chip , e . g . during a wafer tes t , by means o f the tes t terminal "TEST PAD" in such a manner that said chip is provided with said value when the manufacturer of the mobile radio telephones receives the sealed DAPC chip in a conventional package. At the factory manufacturing the mobile radio telephone, the DACP and consequently the D- flip-flop 83 is reset, which, as mentioned, always sets the DACP in an active protecting state. Subsequently, an internal procedure is initiated whereby the information contents in the address NV_ENb, [D(0...7)] is read. As the LSB, i.e. the least significant bit, of the value read is 1,

goes low with the effect that NV_PROT changes to low. Then the security system is interrupted and it is now possible to program the SAK etc. Finally, a value XXXXXXX0b is written in the address NV_ENb. Thus the value in the address NV_ENb is in principle unimportant provided it ends with a zero. When the DACP has been reset, it is subsequently impossible to Interrupt the security system.

Protection against tracing data on external bus (trace protection)

The lower portion of Fig. 2 shows the logic circuits for the trace protection 186 indicated schematically in Fig. 1. An address comparator 26 receives address bits 8-15 and compares with (0,0...0). The output 19 is low for parity and otherwise high, and it is connected with a NAND-gate 33. A READ/WRITE signal RWb is applied by the CPU to an inverter 35, the output of which is connected with an input of an OR-circuit 29. The output of the 0R- circuit is connected with an inverter 30 in turn connected with an OR-circuit 31. The logic network includes furthermore an inverter 32, the input of which is connected with an output MEM_ENb of the memory select circuit 25. The output of the inverter 32 is connected with the NAND- gate 33 receiving on a third input the clock signal P02. The output of the NAND-circuit 33 is connected with one input of an AND-gate 34, the second input of which is connected with a non-bonded test terminal TEST_PAD. The output of the AND-gate 34 is connected with the OR-gate 31 producing on its output a signal MEMW_ENb . The output of the OR-gate 29 produces an output signal called

MEMR_ENb. The signals MEMW_ENb and MEMR_ENb are coupled to a bidirectional buffer on the data bus from the chip. When the MEMW_ENb is low, data are written out, and when the MEMR_ENb is low data are written into the chip in a manner known per se. The important feature is that the two signals only open the external data bus when the memory select circuit 25 has set MEM_ENb low, and when the address comparator 26 indicates that the address bits 8 to 15 are 0, i.e. for addresses in external memory 206, i.e. from 100h→ F7AFh.

The above circuit allows furthermore signals on the data bus to be followed by means of the non-bonded test terminal TEST_PAD of Fig. 2 during the chip manufacturer's testing of the chip not yet packed. The connection shown in Fig. 2 to the TEST_PAD renders it possible to interrupt the trace protection, i.e. the protection can only be interrupted in this manner on the open chip. Thus the lower half of the circuit of Fig. 2 protects against tracing of confidential signals. The two output signals MEMR_ENb (READ) and MEMW_ENb (WRITE) control the tristate logic 186 of the external data bus for data to and from said data bus. In other words MEMW_ENb determines whether or not data are to appear on the external data bus.

Protection against overwriting of the SAK (SAK write protection)

The last type of protection has been incorporated in order to prevent the SAK from being overwritten by accident. As explained above, it is not possible merely to write a new SAK on to the apparatus. A new SAK requires a completely new DACP because the security system, as already explained, is such that it can never be interrupted once it has been closed after completion of the insertion of the SAK. In addition, not even the manufacturer is aware of the programmed SAK because one of the SIS-system requirements is that the SAK must be completely secretly inserted. Accordingly, it would be necessary to start all over again as in connection with a new mobile radio telephone by incorporating a new DACP and forwarding a new SAK key in encrypted form to the authorities followed by a new application for a telephone number combined with the new SAK key.

The basic idea of the protection against overwriting of SAK is based on the requirement that it should never be possible to write in the SAK area once said SAK area has been programmed, neither through internal nor through external code. The criteria for the access to writing in the SAK area must therefore be whether the security control signal NV_PROT is active or not. The security control signal is only interrupted during the programming of SAK at the factory, cf. the explanation related to Fig. 5. Accordingly, the outlined solution prevents efficiently anyone from ever writing in the SAK area. The signal SAK_AREA on one of the outputs of the circuit 25 of Fig. 2, and more specifically the output of the NOR-gate 53 of Fig. 3, is high when the address bits indicate an address in the area F7F1 to F7FF, the SAK area. For address bits indicating addresses outside said area, the signal is low. The signal is together with the NV_PROT signal gated on the WRITE signal on the high- voltage generator of the EEPROM. In this manner a security is obtained by hardware ensuring that a SAK is never over- written.

It is obvious that a similar address security can be obtained by other logic combinations, and the solution shown in Figs. 1 to 5 represents nothing but an example of the invention.

Claims

1. A security circuit for a mobile radio telephone having a "Subscriber Identity Security" system (SIS) , wherein a secret authentication key (SAK) is stored In a data memory (200) including a nonerasable read only memory (ROM 202) and a random access memory (RAM 208), which together with a central processing unit (CPU) are accomodated on a single chip in the mobile radio telephone, wherein the CPU is of the type comprising an output with a "LOAD INSTRUCTION REGISTER" -signal (LIRb) indicating whether the CPU is reading an instruction, wherein the authentication key has been stored in advance in encrypted form in a memory of a base station (Mobile Telephone exchange, MTX) handling the exchange of commu- nication in the area where the mobile radio telephone is to be used, and wherein a call from a mobile radio telephone (MT) to a base station (MTX) causes said base station to an interrogative signal ("random challenge") comprising a number of bits to the calling mobile radio telephone (MT), wherein the CPU calculates a response on the basis of the received interrogative signal and the stored secret authentication key (SAK) by means of a SIS - algorithm assigned to the security system, said response being referred to as a "signed response" comprising a number of bits which are returned to the base station (MTX), said base station in the meantime having performed a corresponding calculation based on the subscriber number presented by the calling mobile radio telephone, where said subscriber number allows the base station (MTX) to locate the associated authentication key (SAK) and perform paral l e l cal cul ati ons , c h a r a c t e r i s e d in that the data memory (200) is divided into an accessible area and a closed, nonaccessible area, that the authentication key (SAK) has been written in the closed nonaccessible area, that only the nonerasable read only memory (ROM 202) includes routines, so-called "internal code", enabling a reading of the closed, nonaccessible area (EEPROM 204), that disabling circuits (21, 24) are provided which produce a protection signal disabling access to the closed area (EEPROM) for all instructions not fetched from the nonerasable read only memory (ROM 202), and only allowing access for instructions from said area (ROM), that the CPU, the nonerasable read only memory (ROM 202), the closed area (EEPROM), the internal random access memory (RAM), and an internal data bus (194), and an address bus (192) for interconnection thereof, as well as address circuits and circuits for the protection of the authentication key (SAK) are accomodated on the single chip (DACP) and are connected to an external memory through an external data bus (190) and address bus (191) located outside the single chip.

2. A security circuit as claimed in claim 1, c h a ra c t e r i s e d in that the nonerasable read only memory (ROM 20) is a mask-programmed ROM including the SlS-algorithm as well as routines allowing reading and writing in the closed areas, and that the access areas include the ROM (202), the internal random access memory (RAM 208) and an external memory (206), as well as that the closed area includes an EEPROM (204).

3. A security system as claimed in claim 1 or 2, c h a r a c t e r i s e d In that it comprises a circuit (21, 24) providing an EEPROM protection signal (EE_PROT) protecting the closed area (204) of the memory, in which the secret key (SAK) is stored, where the signal (EE_PROT) can be caused to assume a first value causing a blocking of the access to the closed area (204) of the memory, and a second value allowing a direct access to the area.

4. A security system as claimed in claim 3, c h a r ¬a c t e r i s e d in that the EEPROM protection signal

(EE_PROT) is provided as a logic function of a security control signal (NV_PROT), the logic state of which determines whether the security system is activated, and a "LOAD INSTRUCTION REGISTER" - signal (LIRb) indicating that the CPU fetches instruction, as well as an address - decoder signal (ROMENb) showing if the last instruction was fetched from the read only memory (202).

5. A security circuit as claimed in claim 3 or 4, c h a r a c t e r i s e d in that the security control signal (NV_PROT) is provided as a logic function of data loaded on a predetermined address (NV_ENb) and a test signal (TEST_PADb of Fig. 5), and that the predetermined address (NV_ENb) is used for activating the clock input of a flip-flop (83) receiving on its D-input the data stored on the address (NV_ENb).

6. A security circuit as claimed in claim 3 or 4, c h a r a c t e r i s e d in that a circuit (25) provides an EEPROM-access signal (EE_ENb) provided as a logic function of an address bit (the address bits 15-4) and the EEPROM protection signal (EE_PROT).

7. A security circuit as claimed in claim 1, c h a ra c t e r i s e d in that internal code in thee read only memory (ROM) includes routines causing the calculation of the signed response to be performed such that intermediate calculations during the calculation are stored only in a predetermined area (220) of the internal random access memory (RAM 208), and that a RAM protection signal (RAM_PROT) by an internal code in the read only memory Is set to a predetermined value at the beginning of the calculation of a response signal (signed response) and is not reset until the calculation has been completed and all the intermediate calculations have been erased, whereby it is possible to prevent/disable access to said predetermined area (220) during calculation of the "signed response", and that a RAM access signal (RAM_EN) is provided by circuits (71-78 of Fi g . 4 ) as a lo gi c func t ion o f addre s s b i ts (ADDR 4 - 15 ) , the EEPROM protection signal (EE_PROT) and the RAM protection signal (RAM_PROT), whereby access to the RAM is allowed when the address is in the always open area of the RAM, i.e. outside the predetermined area for storage of intermediate calculations, or when the EEPROM protection signal indicates that the instruction is fetched from the read only memory, or when the RAM protection signal indicates that confidential information are not stored in the RAM.

8. A security circuit as claimed in one or more of the preceding claims 3 to 6, c h a r a c t e r i s e d in that it comprises a circuit with a D-flip-flop (24), the D-input of which is loaded with a ROM-access signal (ROM_ENb) indicating whether the instant addressing is an address in the ROM (202), and the clock-input of which is controlled by the signal of the CPU for reading of instruction (LIRb) indicating whether the CPU reads an instruction, whereby a protection signal (EE-PROT) on the Q-output of the D-flip-flop indicates whether the latest instruction of the CPU has been read in the ROM.

9. A circuit as claimed in claim 8, c h a r a c t e ri s e d in that the protection signal (EE_PROT) on the output of the flip-flop (24) is transferred to inputs on logic circuits (59, 64) and is combined with output signals from an address - decoding circuit (a memory select circuit 25) in such a manner that EEPROM access signals (NV_ENb, EE_ENb) assume a logic value blocking the access to the EEPROM when the EEPROM protection signal (EE_PROT) has assumed the first protecting value.

10. A circuit as claimed in one or more of the preceding claims 1 to 9, c h a r a c t e r i s e d in that it comprises an address - dependent circuit (27-35) for the control of a tristate logic of the external data bus, said circuit having the effect that only data in the external memory are visible.

11. A circuit as claimed in claim 10, c h a r a c t e ri s e d in that It comprises a circuit (33) assisting in producing two output signals (MEMBR_ENb and MEMW_ENb) controlling the flow of data to and from the external data bus, said circuit causing access to the data bus only being allowed provided address-decoding circuits (25, 26) indicate that the requested address is found in the external memory.

12. A circuit as claimed in claim 11, c h a r a c t e ri s e d in that a logic gate circuit (34) is provided which combines the output signal of the circuit (33) with a test signal (TEST_PADb, Fig. 2) on a connecting conductor from a test terminal (TEST_PAD) with the effect that data are visualized on the external data bus.

13. A circuit as claimed in claim 4, c h a r a c t e ri s e d in that it comprises an address circuit (51, 52, 53) producing a SAK-area signal (SAK_AREA) indicating whether the requested address is found in the particular area of the memory (204) in which the secret key is stored, and that both the SAK-area signal (SAK_AREA) and the security control signal (NV_PROT) have been transferred to a logic gate (not shown) with an output controlling the high-voltage generator of the EEPROM in such a manner that it is impossible to enter data into the SAK area when the security control signal (NV_PROT) indicates that the security system is operating.

14. A method of inserting a secret key (SAK) into a security circuit as claimed in claim 2, c h a r a c t e r i s e d in that at the chip producer's during a final production test (e.g. wafer test) of a chip comprising a security circuit as claimed in claim 2, the chip producer interrupts the security system on the chip by setting a non-bonded test terminal (TEST_PAD) on the chip low, that by the completion of the test the chip producer has inserted a value having a predetermined least significant bit into a predetermined address (NV_ENb), and that internal code is provided in the ROM allowing the predetermined address (NV_ENb) to be read by an external call to the internal code, and that subsequently at the producer of the mobile radio telephone, said telephone producer resets the chip circuit activating the CPU of the chip to call internal code to read the contents of the predetermined address (NV_ENb), whereby the security system is again temporarily interrupted, whereafter the mobile radio telephone producer inserts a randomly generated authenticction key (SAK) into the EEPROM at a predetermined location, said key in encoded form being combined with a reference number (an identification of the telephone), and that the mobile radio telephone producer subsequently writes a new value, the least significant bit of which is complementary to the above least significant bit in the address (NV_ENb), whereafter the chip circuit is reset and it is subsequently impossible later on to interrupt the security system.