Hardware Security Chester Rebeiro IIT Madras 1
Physically Unclonable Functions Physical Unclonable Functions and Applications: A Tutorial http://ieeexplore.ieee.org/document/6823677/
Edge Devices 1000s of them expected to be deployed Low power (solar or battery powered) Small footprint Connected to sensors and actuators Expected to operate 24 x 7 almost unmanned 24x7 these devices will be continuously pumping data into the system, which may influence the way cities operate Will affect us in multiple ways, and we may not even know that they exist. 3
Authenticating Edge Devices Stored keys • Private keys – EEPROM manufacture is an overhead – Public key cryptography is heavy – Can be easily copied / cloned Public keys stored in server Encryption done in edge device 4
Physically Unclonable Functions No stored keys • Digital Fingerprints No public key cryptography • Cannot be cloned / copied • Uses nano-scale variations in manufacture. No two devices are exactly identical • challenge / response Public keys stored in server Encryption done in edge device 5
PUFs A function whose output depends on the input as well as the device executing it. 6
What is Expected of a PUF? (Inter and Intra Differences) Response response challenge challenge Response response (Reliable) (Unique) Same Challenge to Same PUF Same Challenge to different PUF Difference between responses must be large on expectation Difference between responses must be small on Significant variation due to manufacture expectation Irrespective of temperature, noise, aging, etc. 7
What is Expected of a PUF? (Unpredictability) Difficult to predict the output of response a PUF to a randomly chosen challenge when one does not have access to the device challenge response 8
Intrinsic PUFs • Completely within the chip – PUF – Measurement circuit – Post-processing • No fancy processing steps! – eg. Most Silicon based PUFs 9
Silicon PUFs eg. Ring Oscillator PUF Ring Oscillator with odd number of gates 1 f Frequency of ring oscillator f = 2 nt n Number of stages t Delay of each stage Frequency affected by process variation. 10
Why variation occurs? MOS Transistor CMOS Inverter Delay depends on capacitance When gate voltage is less than threshold no current flows Process Variations When gate voltate is greater than threshold current • Oxide thickness flows from source to drain • Doping concentration Threshold voltage is a function of doping • Capacitance concentration, oxide thickness 11
Silicon PUFs ⎧ f A > f B ⎪ N bit challenge 1 response = ⎨ 0 f A ≤ f B eg. Ring Oscillator PUF ⎪ ⎩ 1 R A 2 counter 3 1 bit > response enable N-2 R B counter N-1 N 12
Results of a RO PUF 15 Xilinx, Virtex 4 FPGAs; Inter Chip Variations 1024 ROs in each FPGA; (Uniqueness measurement) Each RO had 5 inverter stages and 1 AND gate response challenge response When 128 bits are produced, Avg 59.1 bits out of 128 bits different Physical Unclonable Functions for Device Authentication and Secret Key Generation https://people.csail.mit.edu/devadas/pubs/puf-dac07.pdf 13
Results of a RO PUF 15 Xilinx, Virtex 4 FPGAs; Intra Chip Variations (Reproducability measurement) 1024 ROs in each FPGA; Each RO had 5 inverter stages and 1 AND gate 20 o C; 1.2V response challenge response 0.61 bits on average out of 128 bits differ 120 o C 1.08V Physical Unclonable Functions for Device Authentication and Secret Key Generation https://people.csail.mit.edu/devadas/pubs/puf-dac07.pdf 14
Arbiter PUF 0 Switch 1 0 0 1 1 0 0 1 1 Ideally delay difference between Red and Blue lines should be 0 if they are symmetrically laid out. In practice variation in manufacturing process will introduce random delays between the two paths 15
Arbiter D FF D FF ? D Q clk If the signal at D reaches first then Q will be set to 1 If the signal at clk reaches first then Q will be set to 0 16
Arbiter PUF 1 0 0 0 1 1 challenge 1 0 1 1 1 D Q 1 if top 0 0 0 … path is rising faster, 0 0 0 G Edge else 0 1 1 1 The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again. 13.56MHz Chip For ISO 14443 A spec. 17
Results for RO PUF Design and Implementation of PUF-Based “Unclonable” RFID ICs for Anti-Counterfeiting and Security Applications IEEE Int.Conf. on RFID, 2008, S. Devdas et. Al. 18
Comparing RO and Arbiter PUF ⎛ ⎞ Number of Challenge : Number of Challenge : 2 N N ⎜ ⎟ Response Pairs : Response Pairs : 2 ⎝ ⎠ #CRPs linearly related to the number #CRPs exponentially related to the number of components of components WEAK PUF STRONG PUF 19
Weak PUF vs Strong PUF Weak PUF Strong PUF Very Good Inter and Intra differences • • Huge number of Challenge Response Pairs (CRPs) Comparatively few number of Challenge • Response Pairs (CRPs) It is assumed that an attacker cannot • Enumerate all CRPs within a fixed time interval. CRPs must be kept secret, because an attacker • Therefore CRPs can be made public may be able to enumerate all possible CRPs Formally, an adversary given a poly-sized sample • • Weak PUFs useful for creating cryptographic of adaptively chosen CRPs cannot predict the keys Response to a new randomly chosen challenge. • Typically used along with a cryptographic scheme Does not require any cryptographic scheme, since • (like encryption / HMAC etc) to hide the CRP CRPs can be public. (since the CRPs must be kept secret) 20
PUF Based Authentication (with Strong PUF) CRPs Bootstrapping: At manufacture, server builds a database of CRPs for each device. At deployment, server picks a random challenge from the database, queries the device and validates the response response challenge 21
PUF Based Authentication Man in the Middle CRPs Man in the middle may be able to build a database of CRPs To prevent this, CRPs are not used more than once challenge response 22
PUF Based Authentication CRP Tables CRPs Each device would require its own CRP table and securely stored in a trusted server. Tables must be large enough to cater to the entire life time of the device or needs to be recharged periodically (scalability issues) challenge response CRPs 23
PUF based Authentication (Alleviating CRP Problem) Secret Model of PUF Gate Delays of PUF components Bootstrapping: At manufacture, server builds a database of gate delays of each component in the PUF. At deployment, server picks a random challenge constructs its expected response from secret model, queries the device and validates the response Still Requires Secure Bootstrapping and Secure Storage 24
PUF based Authentication (Alleviating CRP Problem) • PPUF : Public Model PUF Bootstrapping: Download the public model of Trusted server PUF from the trusted server. At deployment, (PKI) server picks a random challenge constructs Gate Delays of PUF expected response from public model, queries Components (Public) the device and validates the response. If time for response is less than a threshold accept response else rejects. Assumption: A device takes much less time to compute a PUF response than an attacker who models the PUF. T < T 0 ? 25
PUF based Authentication (Alleviating CRP Problem) Homomorphic Encryption Encrypted CRPs Untrusted Cloud R e s p o n s e 26
Conclusions • Different types of PUFs being explored – Analog PUFs, Sensor PUFs etc. CRP issue still a big problem • Several attacks feasible on PUFs. • – Model building attacks (SVMs) – Tampering with PUF computation (eg. Forcing a sine-wave on the ground plane, can alter the results of the PUF) PUFs are a very promising way for lightweight authentication of edge devices. • 27
Hardware Trojans Hardware Security: Design, Threats, and Safeguards; D. Mukhopadhyay and R.S. Chakraborty Slides from R. S. Chakraborty, Jayavijayan Rajendran, Adam Waksman
Hardware Trojan Malicious and deliberately stealthy modification made to an electronic • device such as an IC It can change the chips functionality thereby undermine trust in • systems that use this IC key crypto Module ciphertext input 29
Hardware Trojan Malicious and deliberately stealthy modification made to an electronic • device such as an IC It can change the chips functionality thereby undermine trust in • systems that use this IC key 1 crypto Module ciphertext 0 input 30
Example of a Hardware Trojan Cheat Code (combinational trojans) key 1 crypto Module 0xcafebeef ciphertext 0 input Trigger Properties of Hardware Trojan: If (input == 0xcafebeef) very small • select = 1 • mostly passive else select = 0 31
Example of a Hardware Trojan Sequential Trojan (Timebombs) key 1 0xca crypto Module 0xaf ciphertext time 0 input 0xee 0xbe Trigger 0xef select = 0 select = 1 ca Properties of Hardware Trojan: very small • af ef • mostly passive ee be 32
Recommend
More recommend
