$263 WHITE PAPER. Flexible Key Provisioning with SRAM PUF. Securing Billions of IoT Devices Requires a New Key Provisioning Method that Scales

Size: px

Start display at page:

Download "$263 WHITE PAPER. Flexible Key Provisioning with SRAM PUF. Securing Billions of IoT Devices Requires a New Key Provisioning Method that Scales"

Rosalyn Davis
5 years ago
Views:

1 WHITE PAPER Flexible Key Provisioning with SRAM PUF SRAM PUF Benefits Uses standard SRAM Device-unique keys No secrets reside on the chip No key material programmed Flexible and scalable Certifications: EMVCo, Visa CC EAL6+ US and EU Governments 50 billion connected devices by 2020 $263 billion In related service spending by 2020 Key Provisioning Benefits Keys can be provisioned at any stage of manufacturing Reduced liabilities: no sensitive key material is exposed in the supply chain Lower total cost of ownership scales with market growth IoT Market Industrial Automotive Health Wearables Smart grid Home Securing Billions of IoT Devices Requires a New Key Provisioning Method that Scales Even the most innocuous IoT endpoints (webcams, DVR recorders, light bulbs) need protection, as demonstrated in the September 2016 Mirai cyber attack. The exploitation of these types of nodes led to a large scale disruption of Internet services. The economic impact of such attacks can be huge, however they are only an early warning of what is to come. The best way to protect against the expansion of these threats is to prioritize the integration of appropriate and affordable security measures for all IoT devices from endpoints, to hosts, hubs and the cloud. Important barriers that hold back this integration are high cost, inflexibility, and lack of scalability of legacy key injection models. In this white paper, we propose an IoT key provisioning method based on SRAM Physical Unclonable Functions. This method removes the barriers of securing a broad range of IoT devices, even resource limited endpoints, building the foundation for an Internet of things we can trust.

2 Securing IoT Devices - Current and Future Needs The IoT will connect billions of stand-alone devices in endpoints, hubs, gateways, etc., often deeply embedded in sensitive or even critical systems. Since these systems will make decisions autonomously, methods for securing these devices and their data flows need to be put in place. A device in the field needs to process data securely, authenticate to the network, set up secure connections with other devices and register to services. Modern security systems in smart devices use cryptography as a basic tool. The main cryptographic functions used in security systems are encryption and authentication. These primitives depend on a secret key. There are two main problems with the secret keys: I. secret keys have to be kept secret II. secret keys have to be generated and injected into the devices The first problem is addressed in another white paper 1. In this white paper we will concentrate on topic II. Root Key Bootstrapping the cryptographic system of a device requires a root key. The process of installing a cryptographic root key on devices is called Root Key Provisioning (RKP). Furthermore, cryptographic algorithms and keys should be protected or separated from the application software in some Security Subsystem. This is a secure area inside the device that can not be tampered with and deals securely with root keys and hence can be trusted. It interacts via an Application Programming Interface (API) with the rest of the system. From One Key, Many Once root keys are properly installed, the security subsystem is able to provide cryptographic services for authentication, encryption and key management to the OS and software programs running on the CPU. On top of this, an Application Key Provisioning (AKP) system enables software, middleware, the OS, applications and services to provision their own application keys securely into the security subsystem. Security Compromises The large number of devices within the IoT puts additional constraints on the way device keys are generated, stored, managed and provisioned. The current techniques always demand a difficult trade-off between the level of security and the size, complexity and cost of the security measures (strength of the keys, footprint of the cryptographic software, ). For a successful IoT security implementation, such a trade-off is not workable and is causing many IoT devices to ship without adequate protection. Hence they can be misused as we have seen in the September 2016 Mirai attack on the Internet. 2 In summary, securing billions of IoT devices requires a low-cost solution, deployable from expensive high-end chips to low-end controllers and sensors. 1 SRAM PUF: The secure silicon fingerprint. 2 Heightened DDoS Threat Posed by Mirai and Other Botnets 2

Key Provisioning in Today s Supply Chain In today s supply chain the root keys are generated outside the electronic devices and injected during the production process.

Roles in Today s Supply Chain The Original Equipment Manufacturer (OEM) designs products based on available IP, including both hardware (micro controllers, wireless connectivity chips, video

The Silicon Manufacturer (SM) develops a wide variety of integrated circuits, ASICs, SoCs, ASSPs (chips) out of which the OEM choses the right part for their product needs.

The Contract Manufacturer (CM) uses design files from the OEM to produce printed circuit boards, places the chips from multiple SMs onto them and assembles the products.

3 Key Provisioning in Today s Supply Chain In today s supply chain the root keys are generated outside the electronic devices and injected during the production process. We briefly explain the essential components of this method in today s supply chain and review its shortcomings and limitations. Roles in Today s Supply Chain The Original Equipment Manufacturer (OEM) designs products based on available IP, including both hardware (micro controllers, wireless connectivity chips, video accelerators, etc.) and software (operating system, device management middleware, applications, etc.) components. The Silicon Manufacturer (SM) develops a wide variety of integrated circuits, ASICs, SoCs, ASSPs (chips) out of which the OEM choses the right part for their product needs. The SM delivers the required chips to the OEM s supply partners. The Contract Manufacturer (CM) uses design files from the OEM to produce printed circuit boards, places the chips from multiple SMs onto them and assembles the products. The CM is also responsible for loading and testing the software that is installed on the products before they ship to the end-user. The Application Provider (AP) builds applications that can be loaded on the products in the field, allowing the end-users to connect to cloud services, add features, and update their product throughout its lifetime. The end-user adds additional applications from various application providers that may connect to cloud services. Shortcomings and Limitations of Legacy Key Provisioning Within the legacy model, RKP needs to be done early in the supply chain typically at the SM (see Figure 1). For example, the AKP is done by an Application Provider (AP) in the field to set up a secure channel with a cloud service. Silicon Mfg. Contract Mfg. System OEM Application Provider Root Key Application Keys Chip Production Device Manufacturing Use in the Field Figure 1.: Supply chain and key provisioning of electronic devices from Silicon Manufacturer to end-user.! 3

4 Most widely used embedded key storage methods are based on One-Time Programmable (OTP) memory such as fuses and anti-fuses, or on Non-Volatile Memory (NVM) such as EEPROM and Flash. With these memory types, the provisioning of root keys comes with trade-offs between flexibility, key-exposure liability, cost and security. Keys stored in fuses and anti-fuses are programmed with special equipment early in the supply chain, typically by the SM or its distributor. The parties that handle the chips later in the chain do not have access to the programming functionality as it is typically controlled by the SM. Hence, the OEM either needs to hand over root keys for its devices to the SM or trust the SM to create root keys. The disadvantages are: i) an undesired liability for the SM to correctly handle all the keys for the different OEM customers, ii) higher costs for the OEM as the SM charges costs for key programming, testing and handling, iii) Chip cannot be re-used (bound to OEM). Keys stored in EEPROM or Flash memory on the other hand can be programmed in later stages in the supply chain, for example at the OEM. However, this storage type is typically designed for storing application code and not for the secure storage of sensitive key material. It can be freely accessed by the CPU on the device. Therefore the keys are vulnerable to readout attacks. The only protection method is via software obfuscation, offering very limited security. Dedicated and protected Flash storage for keys exists, but is prohibitively expensive for many types of devices. Both key storage models are not scalable when the number of devices runs into the billions. The injection of cryptographic root keys requires an additional step in the chip production process and is hence too expensive for securing billions of low-end sensors and controllers The fact that keys need to be injected from the outside early in the supply chain is a logistic challenge for the OEM/SM. The OEM needs a reliable sales forecast to order the right number of root key provisioned chips. When too many chips are ordered he suffers a loss while ordering not enough chips leads to late deliveries and hence loss of market share. Keys Extracted from a Chip s Silicon Fingerprint The SRAM PUF SRAM Physical Unclonable Functions or PUFs use the behavior of standard SRAM memory available in any digital chip, to extract a unique pattern or silicon fingerprint. They are virtually impossible to clone or predict. This makes them very suitable for applications such as secure key generation and storage, device authentication, flexible key provisioning and chip asset management. Due to inherent deep sub-micron process variations in the production process, every transistor in SRAM cells has slightly random electric properties. This randomness is expressed in the startup values of uninitialized SRAM memory. These values form a unique chip fingerprint, called the SRAM PUF response. SRAM PUF R Fuzzy Extractor Helper Data Figure 2. One-time enrollment phase: the Fuzzy Extractor reads out an SRAM PUF response (R) and computes Helper Data.! 4

5 SRAM PUF R d1 d2 Figure 3: Key Reconstruction phase for the generation of SRAM PUF keys: The device-unique root key or PUF Key is derived from a new SRAM PUF response (R ) and Helper Data. Key derivation functions derive various symmetric keys (K1, K2, K3,...) as well as private keys (d1, d2, d3,..) and corresponding public keys (Q1,Q2, Q3, ). The blue line indicates the boundary of the Security Subsystem. d3 Helper Data Fuzzy Extractor Key Derivation Functions Public Key Crypto PUF Key Q1 Q2 Q3 K1 K2 K3 Key Provisioning based on SRAM PUF The SRAM PUF response (R) is a noisy fingerprint of the chip, and turning it into a reliable cryptographic root key requires further processing. This processing is done with a Fuzzy Extractor or Helper Data Algorithm, which is typically implemented inside a chip as Hardware or Software IP. 3 The Fuzzy Extractor has two modes of operation: Enrollment (Figure 2) and Key Reconstruction (Figure 3). In Enrollment mode, which is typically executed once over the lifetime of the chip, the Fuzzy Extractor reads out an SRAM PUF response (R) and computes so-called Helper Data. By design the Helper Data does not reveal any information on the cryptographic key and can therefore be stored in any kind of Non-Volatile Memory (NVM). Whenever the cryptographic root key is needed by the system, the Fuzzy Extractor is used in the Key Reconstruction mode. In this mode a new SRAM PUF response (R ) is read out and Helper Data is applied to correct the noise. A hash function is subsequently applied to reconstruct the cryptographic root key (PUF key). In this way exactly the same cryptographic key can be reconstructed every time and under many (environmental) circumstances. Via cryptographic key derivation functions, multiple symmetric (e.g AES, DES, ) and asymmetric (e.g. ECC) keys are derived directly from the reconstructed PUF key as indicated in Figure 3. When the device is powered off, no secret key can be found in any memory. Hence, the Fuzzy Extractor can extract a tree of cryptographic keys (starting from the PUF root key) without storing them in a non-volatile memory. Key Advantages This SRAM PUF root key extraction and derivation method has several advantages compared to the legacy key storage models (see Table 1). It offers flexibility as the root key generation and programming step can be executed at any stage in the supply chain. Method Benefits SRAM PUF OTP NVM Flexible Programming Limited Liabilities Low Cost Provisioning Secure Key Storage Uniqueness of Keys Table 1: Comparison of the benefits of the different embedded key storage types 3 J.-P. Linnartz and P. Tuyls, New shielding functions to enhance privacy and prevent misuse of biometric templates, in International Conference on Audio and Video-based Biometric Person Authentication (AVBPA 03), LNCS vol. 2688, pp , Springer-Verlag 2003.! 5

6 This reduces liabilities since there is no key transfer required between the different partners in the supply chain. Costs are reduced since no keys have to be programmed in fuses by the SM. Thirdly, compared to storing keys in Flash memory, no sensitive data is found in NVM. Finally, because of the high entropy of the SRAM PUF source, uniqueness of the root keys is guaranteed by physics. It is therefore less susceptible to (human) errors in the key injection process. Scalable Key Provisioning from Silicon to Cloud Secure Application Key Provisioning The asymmetric key pair (d,q) that is derived from the SRAM PUF root key, (see Figure 3) is used for i) setting up a Certified Identity and ii ) providing a secure channel to the device by which Application Keys are provisioned. In order to set up a Certified Identity for the device, a One-Time Trust (OTT) event is needed. It combines the generation of device root keys with a certification step by a trusted party in the supply chain. The OTT event comprises the following steps: i) a public key corresponding to a PUF-derived private key gets exported from the security subsystem ii) a Trusted Party observes the key export event and signs the public key as part of a device s Identity Certificate iii) the resulting Identity Certificate is stored in the device. This requires only one trusted party located in the supply chain, unlike the legacy model where multiple parties in the supply chain need to be trusted. One-Time Trust event using SRAM PUF The root key is generated from the SRAM PUF One or more public/private key pairs are derived from the root key The device gets an Identity Certificate on its public key(s) Minimal trust base: a trusted party assures that only public keys generated by authentic devices are signed After a device has obtained an Identity Certificate as defined above, other parties can use the certificate to securely provision application keys. For example, an Application Provider (AP) provisions an application key to the device in the field with its Provisioning Server. First, the Provisioning Server validates the device certificate with the public key of the Trusted Party. Second, the AP encrypts the application key with the device s public key. Finally, the device receives and decrypts the application key with its private key inside the security subsystem. Then, it re-encrypts the application key with a symmetric root key for secure storage. As part of the second step the device may check a certificate of the application owner s Provisioning Server. The scheme above never exposes the device root key and its derived private key. They don't leave the device and are not known by any party in the supply chain. On top of this neither the OEM, nor the AP have to share any of their secrets with another party in the supply chain. In particular the SM does not have to handle any keys. This does not only reduce its liability but also simplifies its logistics. We also emphasize that as well the root key provisioning as the application key provisioning can be performed in the field. This removes any delay in the production of the chips as well as the devices, leading to higher yield and lower costs.! 6

7 Complete Provisioning Flow In Figure 4 this complete key provisioning flow is illustrated. The legacy model (Top) is compared with SRAM PUF key provisioning flow (Bottom). For the legacy model, we depict a provisioning flow based on keys in OTP memory. In this model, sensitive key material is handed over from OEM to SM in order to provision root keys (step 2). The OEM provides (public) keys to application providers (step 6) so that the AP can provision application keys to the device (step 7). In this model, keys are exposed at least at one stage and often at different stages in the supply chain. Legacy Key Provisioning 1. IC Production 2. Root key provisioning 3. IC Distribution 4. Contract Mfg. 5. Device Shipping 6. Transfer access key 7. App Key Provisioning SM CM OEM User AP Area of potential key exposure Key Provisioning using SRAM PUF 1. IC Production 2. IC Distribution 3. Contract Mfg. 4. OTT event 5. Device Shipping SM CM OEM User AP App Key Provisioning Figure 4: Legacy Key Provisioning flow - based on root keys in OTP memory (Top), compared to Key Provisioning flow based on SRAM-PUF root keys (Bottom) In the production flow based on SRAM PUF (see Figure 4, Bottom), the CM is trusted by the OEM for correctly producing its devices. The CM acts as the Trusted Party that executes the OTT event. Note that no secrets are shared during this process with other parties.! 7

8 Conclusion The described key provisioning method based on SRAM PUF has several advantages in terms of scalability, flexibility and security compared to the Legacy methods: Increased flexibility: Root keys are only installed on the chip during the OTT step, which can be done at any suitable stage in the production process. Scalability: No additional hardware, or hardware modification is needed to deploy. The fact that SRAM is universally available in any digital chip and that only a very limited amount of SRAM is needed, makes the method scalable to all kinds of IoT devices from low-end to high-end. Reduced liabilities: No sensitive key material is handed over to the SM, reducing liabilities. Up to the point where the OTT event is executed, the chips are blank with respect to any keys and hence they can be sold to any OEM. Reduced costs: The SM does not have to install an HSM for injecting keys and doesn t have to slow down its production flow for injecting keys. He does not have to prepare chips for a specific OEM anymore, which removes minimum order requirements for the OEM and reduces costs of key handling. Hardware based security: Provisioned keys are securely stored using SRAM PUF technology and only present within the device s security perimeter for a minimal time window. Guaranteed uniqueness: Cryptographic root keys are generated from a high-entropy on-chip PUF source, guaranteeing uniqueness of the keys.! 8

Glossary AES AKP AP API ASIC ASSP CC EAL6+ CM CPU DDoS DES DVR ECC EEPROM EMV EMVCo, Visa HSM IC IoT IP OEM OTP OTT OS NVM PUF RKP SM SoC SRAM Advanced Encryption Standard Application Key

augmented: resistance to attackers with high attack potential Contract Manufacturer Central Processing Unit Distributed Denial of Service Data Encryption Standard Digital Video Recorder Elliptic

Certificate issued by EMVCo for secure payment transactions (based on EMV specifications and related testing processes) Hardware Security Module Integrated Circuit Internet of Things Intellectual

9 Glossary AES AKP AP API ASIC ASSP CC EAL6+ CM CPU DDoS DES DVR ECC EEPROM EMV EMVCo, Visa HSM IC IoT IP OEM OTP OTT OS NVM PUF RKP SM SoC SRAM Advanced Encryption Standard Application Key Provisioning Application Provider Application Programming Interface Application-Specific Integrated Circuit Application-Specific Standard Product Common Criteria Evaluation Assurance Level 6 augmented: resistance to attackers with high attack potential Contract Manufacturer Central Processing Unit Distributed Denial of Service Data Encryption Standard Digital Video Recorder Elliptic Curve Cryptography Electrically Erasable Programmable Read Only Memory Europay, MasterCard and Visa standard for inter-operation of IC cards, for authenticating credit and debit card transactions Certificate issued by EMVCo for secure payment transactions (based on EMV specifications and related testing processes) Hardware Security Module Integrated Circuit Internet of Things Intellectual Property Original Equipment Manufacturer One-Time Programmable memory One-Time Trust Operating System Non-Volatile Memory Physical Unclonable Function(s) Root Key Provisioning Silicon Manufacturer System-on-a-Chip Static Random Access Memory info@intrinsic-id.com Intrinsic ID. QUIDDIKEY, and designated brands included herein are trademarks of Intrinsic ID. All other trademarks are the property of their respective owners.! 9

Connecting Securely to the Cloud

Connecting Securely to the Cloud Security Primer Presented by Enrico Gregoratto Andrew Marsh Agenda 2 Presentation Speaker Trusting The Connection Transport Layer Security Connecting to the Cloud Enrico