The STM1403/1404 is a family of low power intrusion (tamper) detection security
supervisors for the Point of Sale (POS) terminal market. They enable manufacturers to meet
security standards such as FIPS-140 (NIST, US Dept. of Commerce), EMV Co, ISO, ZKA
(Germany) and Visa PED. Until recently, many of these intrusion detection functions were
implemented by using several discrete devices. The STM1403/1404 integrates all these
functions into a small profile security-friendly QFN package. The STM1403/1404 meets
most price, performance and board space objectives while ensuring customers are able to
meet current and future security certification requirements for physical and environmental
tamper detection.
The STM1403/1404 family can be used in the High Security Module (HSM) of a Point of
Sale system such as: POS terminals, PCs with cash drawers, standalone credit
authorization / debit card terminals, electronic cash registers, vending machines, standalone
check readers and signature capture devices.
1.1 High security module (HSM)
The STM1403/1404 may be incorporated into the HSM which also includes the
cryptographic module with the crypto keys stored in secure SRAM. The STM1403/1404
devices integrate most, if not all, of the key functions necessary to continuously monitor
physical tamper inputs, supply voltages (primary Vcc and secondary battery back-up) and
ambient temperature (STM1404 only).
When an intrusion is detected, an alarm is issued by the STM1403/1404 device. Once the
alarm is received by the system it can immediately initiate a process to "zeroize" the
cryptographic keys in volatile SRAM to prevent the intruder from gaining access to them.
The HSM is thus rendered non-functional, until shipped back to the factory for diagnostic
tests and re-coding.
1.2 Security levels
There are different levels of security certification depending on the system application. As
an example, the FEDERAL INFORMATION PROCESSING STANDARDS (FIPS-140)
publication provides a standard used by Federal organizations when these organizations
specify that cryptographic-based security systems are necessary to provide protection for
sensitive data. There are many other country specific and industry specific standards that
POS system vendors are required to meet.
The STM1403/1404 family has been defined to meet these standards for physical and
environmental tamper detection.
Figure 1.Federal information processing standard 140
5/14
Targeted applicationsAN2377
1.3 STM1403 integrated functions
The STM1403 device is targeted at Security Level 3 and lower. It has the following functions
integrated: STM704 battery switchover supervisor; Physical tamper detect/alarm functions;
Over/under operating voltage alarm; Battery low voltage detect function; and an optional
voltage reference (Vref) out of 1.237V.
1.4 STM1404 for security level 4
There is also the 100% pin-compatible STM1404, a functional superset of the STM1403,
targeted at highest security level 4. In addition to the functionality of STM1403, it has
several options of factory programmed over/under temperature alarms.
6/14
AN2377How it works
2 How it works
2.1 Physical tamper
The STM1403/1404 device provides four independent tamper input pins, TP1 through TP4,
that can be used to monitor four separate signals. These tamper input pins can be used to
indicate that a tamper event has occurred by either the opening or closing of a switch,
forcing the pin to its tampered state (a high level for pins TP
and TP
).
3
2.2 Over/under voltage detection
and TP4, or low level for TP1
2
When the internal voltage (VINT; where V
high voltage limit (V
) or drops below the low voltage limit (VLV), an alarm is generated.
HV
can be V
INT
or VCC), either goes above the
BAT
2.3 Over/under temperature detection (STM1404 only)
When the die temperature (TA), either goes above the high temperature limit (TH) or drops
below the low temperature limit (T
), an alarm is generated.
L
After any alarm condition occurs, the open drain Security Alarm Output (/SAL) will be forced
low.
2.4 Clearing external memory
The STM1403/1404 can easily be configured to clear external, battery-backed SRAM. One
way to clear or corrupt the external memory, is to force V
removes power from the volatile SRAM, allowing the memory array to return to its default
state, effectively clearing the sensitive data contained in the memory array. The STM140xC
is designed specifically for this purpose (See Table 1.). When any alarm condition occurs,
forcing the /SAL pin low, the V
be forced low, driving the V
pin which supplies power to the external SRAM, will also
OUT
pin of the SRAM to Ground. Figure 2.shows the circuit
CC
connection. The voltage regulator should also be disabled to avoid powering the SRAM
through the input protection of one of its address or control pins.
of the SRAM to Ground. This
CC
Table 1.STM1403/1404 V
OptionV
STM140xAONRemains powered-up
STM140xBHigh-ZFor use with negative charge pump
STM140xCGroundBasic approach to clear SRAM
status during alarm
OUT
Status during alarmAffect on external SRAM
OUT
7/14
How it worksAN2377
Figure 2.Circuit connection to drive SRAM VCC to ground (STM140xC)
2.5 Clearing the external memory using a negative charge pump
(STM140xB)
However, some SRAMs require a significant amount of time for the memory to be corrupted
if V
is simply grounded. To corrupt the memory in a shorter period of time, the user can
CC
take V
protection diode turns on forcing any internal capacitive nodes to be discharged, quickly
corrupting the memory.
Therefore, in order to rapidly corrupt the external volatile SRAM, a negative charge pump
device should be used with the STM140xB to drive V
during the tamper condition. Figure 3.shows how to connect this circuit. When using the
STM140xB with the charge pump device, the user must also provide a standard hex inverter
and an N-channel MOSFET to isolate the V
the charge pump during normal operation. During normal operation the active low / SAL
signal will be high, disabling the charge pump. While disabled, the output of most charge
pumps will be forced to Ground. In order to allow proper operation of the SRAM, the
MOSFET must be "off" to isolate V
During a tamper condition, the /SAL output will be forced low, causing the corresponding
hex inverter outputs to go high. One signal will control the inhibit pin of the DC regulator,
putting the regulator in standby mode, removing power from the circuit. A second signal will
turn ON the N-channel MOSFET, connecting the output of the charge pump with the V
of the SRAM. A third signal will enable the charge pump generating a negative voltage on
the V
function of the SRAM used, and the magnitude and duration of the negative voltage applied.
This should be characterized in the application by the user.
of the SRAM to a negative voltage. By taking VCC to a negative voltage, the input
CC
of the SRAM to a negative voltage
CC
of the STM140xB from the output (OUT) of
OUT
of the SRAM from the charge pump output.
CC
pin of the SRAM, causing data corruption. Clearing the SRAM data is primarily a
CC
CC
pin
It is typically recommended that low ESR capacitors be used with the charge pump to
reduce noise and ripple. A small capacitance value delivers less charge per clock cycle to
the output, resulting in lower output ripple and also a reduction in the maximum I
8/14
OUT
AN2377How it works
capability. Therefore, a ceramic capacitor is initially recommended with a value in the range
of 0.022µF or less.
Figure 3.Circuit connection when using negative charge pump (STM140xB)
9/14
Efficiency resultsAN2377
3 Efficiency results
Depending on the process technology used to manufacture of the external SRAM, clearing
the memory may require varying durations of negative potential on the V
At STMicroelectronics, we have evaluated several different SRAMs with different densities
and found that we were able to corrupt the memory with certain minimum duration (1
second) negative pulse widths (see Table 2., Table 3. and Table 4.).
-1V Undershoot85°C4 msecYesCorrupted with random data
-1V Undershoot
-1V Undershoot40 msecNo
25°C
-1V Undershoot80 msecNo
-1V Undershoot160 msecYesCorrupted with random data
-1V Undershoot
16 msecNo
800 msecNoPartial corruption
-1V Undershoot1.0 secNoPartial corruption
Vendor3
-1V Undershoot2.0 secYesCorrupted with random data
-2V Undershoot400 msecNo
-2V Undershoot800 msecNoPartial corruption
-2V Undershoot1 secYesCorrupted with random data
-1V Undershoot
-1V Undershoot8 secNo
-1V Undershoot20 secYesCorrupted with random data
-2V Undershoot1.6 secNo
-2V Undershoot4 secNo
-2V Undershoot10 secYesCorrupted with random data
0°C
4 secNo
-40°C
Note:The data above was taken to evaluate various SRAMs to determine the length of time
required to clear the data by grounding or forcing a negative voltage on the Vcc supply pin.
This data indicates that the time is a function of temperature, voltage and manufacturer (and
may also vary by revision). This data was taken on a very limited sample size, and should
not be considered conclusive. No data was taken to evaluate the long-term reliability impact
on the SRAM as a result of the negative voltages.
11/14
ConclusionAN2377
4 Conclusion
With the increasing frequency of credit card fraud and identity theft in applications like ATM
machines or POS terminals, ST is leading the way in protecting this sensitive data with its
new line of security supervisors. When this sensitive data is stored in external volatile
memory the STM1403/1404 solution can provide early detection when these devices have
been tampered with and also clear the RAM before the intruder can access this data.
12/14
AN2377Revision history
5 Revision history
Table 5.Revision history
DateRevisionChanges
29-Jun-20061Initial release.
13/14
AN2377
Please Read Carefully:
Information in this document is provided solely in connection with ST products. STMicroelectronics NV and its subsidiaries (“ST”) reserve the
right to make changes, corrections, modifications or improvements, to this document, and the products and services described herein at any
time, without notice.
All ST products are sold pursuant to ST’s terms and conditions of sale.
Purchasers are solely responsible for the choice, selection and use of the ST products and services described herein, and ST assumes no
liability whatsoever relating to the choice, selection or use of the ST products and services described herein.
No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted under this document. If any part of this
document refers to any third party products or services it shall not be deemed a license grant by ST for the use of such third party products
or services, or any intellectual property contained therein or considered as a warranty covering the use in any manner whatsoever of such
third party products or services or any intellectual property contained therein.
UNLESS OTHERWISE SET FORTH IN ST’S TERMS AND CONDITIONS OF SALE ST DISCLAIMS ANY EXPRESS OR IMPLIED
WARRANTY WITH RESPECT TO THE USE AND/OR SALE OF ST PRODUCTS INCLUDING WITHOUT LIMITATION IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE (AND THEIR EQUIVALENTS UNDER THE LAWS
OF ANY JURISDICTION), OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.
UNLESS EXPRESSLY APPROVED IN WRITING BY AN AUTHORIZE REPRESENTATIVE OF ST, ST PRODUCTS ARE NOT DESIGNED,
AUTHORIZED OR WARRANTED FOR USE IN MILITARY, AIR CRAFT, SPACE, LIFE SAVING, OR LIFE SUSTAINING APPLICATIONS,
NOR IN PRODUCTS OR SYSTEMS, WHERE FAILURE OR MALFUNCTION MAY RESULT IN PERSONAL INJURY, DEATH, OR
SEVERE PROPERTY OR ENVIRONMENTAL DAMAGE.
Resale of ST products with provisions different from the statements and/or technical features set forth in this document shall immediately void
any warranty granted by ST for the ST product or service described herein and shall not create or extend in any manner whatsoever, any
liability of ST.
ST and the ST logo are trademarks or registered trademarks of ST in various countries.
Information in this document supersedes and replaces all information previously supplied.
The ST logo is a registered trademark of STMicroelectronics. All other names are the property of their respective owners.