For a long time, computer security was habitually grounded in software. Certification that a physical element is what it claims to be has in the past been rendered difficult by software procedures capable of cloning the characteristics of physical devices or their behaviour. For example, tools appeared that made it feasible to clone the media access control (MAC) of any piece of equipment, so that security measures based on this check soon became useless.
Besides this, at the present time radio frequency identification (RFID) labels are in very extensive use. They are used to control access to buildings, carry out financial transactions or store sensitive information, as for instance in electronic passports. Unfortunately, these labels are vulnerable, as may be seen in the article on Near Field Communications (NFC) and contactless payment. Thus, they have been the target of several security incidents.
Hence, there has been considerable research into systems that would allow a simple certification procedure confirming that a physical device is truly, what it claims to be (providing a device fingerprint). There is obvious practical utility in such a tool in the fields both of physical security and the safety of information. The two most prominent theoretical lines of research in this area are a search for a Trusted Platform Module, or TPM, and for Physical Unclonable Functions, or PUFs. This article will describe these two approaches.
PUFs are functions embedded within a physical structure which are simple to evaluate when there is access to the device being checked, but almost impossible to predict or duplicate. This is the hardware equivalent of one-way functions, which are easy to evaluate but hard to invert. Such functions have not been definitively proved sure, but several candidates are assumed to be valid and have been generally accepted for use in the area of security. An example would be cryptographic hashing functions, such as the secure hash algorithm SHA-256.
Thus, a PUF may be defined as a function that relates a series of challenge – response pairs (CRPs), based on the complexity and physical randomness of an integrated circuit (IC), as may be seen in Illustration 1. The server in this schematic is perfectly aware of the pairings of challenges and responses. When necessary, it can request the embedded system to provide the result for a given PUF, which is calculated and sent as a response to the server.
Illustration 1: Schematic for a PUF with Pairs of Challenges and Responses (Source: AISEC)
This way, not only is there a check that the software response is correct, but also it is possible to check, by means of the PUF, that the hardware attempting to access the system is the device that it should be. This adds an extra layer of security.
Part of the safety provided by such a system lies in the difficulty of discovering its characteristics. This process is so long and hard that it would allow the legitimate owner to notice the theft and to take steps to revoke its permissions so it cannot be used for illicit access.
There are two kinds of PUF, depending on whether the randomness of the function is explicitly introduced or inherent to the circuit itself. This randomness of the PUF is what makes it possible to distinguish between various different devices using the same basic PUF to identify themselves.
The first type, with explicitly added randomness, requires some form of modification in the process of manufacturing the IC. This makes it more complex and expensive to implement, but does give greater capacity to distinguish between devices. Moreover, such PUFs are virtually unaffected by environmental conditions. There are two main sorts:
- Optical PUFs: In these a transparent material doped with particles, causing the dispersion of light, is integrated in the IC. The result is that there is an individual unique Speckle pattern for the device when illuminated with a laser beam. Since both the particle doping process and the interaction of the laser beam with these particles are tremendously complex phenomena, it is impossible for two different devices to produce the same Speckle pattern. Hence, it is held that it is not feasible for the function to be cloned.
- Coating PUFs: Here, the manufacturing process includes the fixing of a metal wires network as a sort of roof over the integrated circuit. The space above and below this roof is filled with opaque material and randomly doped with dielectric particles. Thanks to the random nature of the positioning of the particles, of their size and of their dielectric strength, the electrical capacitance between any given pair of wires in the network is considered random up to a certain point. Among other purposes, this randomness can be used to generate a unique identity for the device.
The second type of PUF, with intrinsic randomness, is more easily included into designs, as there is no need to change the manufacturing process for the IC. However, environmental conditions affect the PUF results, although this effect can be eliminated. This sort of PUF also comes in a number of varieties, among the commonest being the following:
- Delay PUFs: These rely on the random nature of the delays in wires and logical gates on IC boards. Given an initial challenge, a race condition is established and is propagated along different routes with checks on which running condition arrives first. After this, a latch (an electronic flip-flop circuit, not the tool you can try on INCIBE’s site) is used to store the result. This value is able to vary even when the very same logic is implemented on different ICs using identical technology and layout, owing to random variations in delays.
- SRAM PUFs: During initialization of a cell in static random access memory (SRAM) on an IC (see Illustration 2), inverters with cross-over linkage (transistors M1 to M4 in the schematic) are not controlled by any signal, so that their value in the memory will be randomly either 1 or 0. There is a high probability that a given cell in a SRAM memory will always have the same value immediately after start-up.
Illustration 2: SRAM Memory Cell
- Butterfly PUFs: These rely on the linkage between two latches. The phenomenon is similar to SRAM PUFs, except they can be implemented in any SRAM in a field programmable gate array (FGPA).
According to the theory, PUFs could be a key security element in many devices such as RFID cards. Adding PUFs to these systems might allow systems to check not just the credentials incorporated in the card, but also whether or not it is really, what it claims to be. In this way, the contents would be tied to the card itself.
PUFs may also permit other uses, for instance as very low cost high-entropy random number generators. In this case, their use should not be dependent on the characteristics of the system. This is because, as mentioned above, that would only allow the generation of a sequence of numbers that would be random, but always the same for the given device. Instead, an unpredictable challenge should be used as a seed, since the response to it would constitute a genuinely random sequence of numbers.
Nowadays, PUF modules are being implemented in some electronic devices. One of these, the MIT secure processor AEGIS, can make use of them to generate a private key with which to authenticate the processor.
Illustration 3: The AEGIS Secure Architecture.
The simple solution for this private key would have been to store it in a non-volatile memory like electrically erasable programmable read-only memory (EEPROM). However, such memories are susceptible to physical attacks, which involve breaking the outer shell without damaging the chip, then electrically extracting the private key from the memory. (Eloi Sanfelix is an expert in this field of hardware hacking, as he showed us at Rooted CON 2011 and 2012). Besides, integrating EEPROM into an IC is relatively expensive.
To keep costs low, silicon PUFs are integrated into the IC. That way, when the key is requested a physical test is carried out on the IC to obtain it. To avoid any attacker being able to capture the response to the challenge, we mask it by a cryptographic hash function, which is, as mentioned above, a one-way function.