By Leonardo Machado, Crypto Quantique
embedded.com (June 4, 2021)
This article explores the relative performance of SRAM PUF and quantum-derived semiconductor PUF technologies for IoT security.
There are now tens of billions of physical IoT devices connected over local networks and onward to the internet. Data from sensors transverses these networks. Actuators are actuated in response to the data. Simultaneously, applications analyze the data to facilitate a human or machine response.
But what if you don’t know which sensor is sending the data, or a response is initiated but sent to the wrong actuator? This is not just about a consumer’s smartphone exhibiting an irritating glitch. In industrial applications, it could be a production line shutting down, a hospital’s diagnostic equipment reporting the wrong information, or all the traffic lights at a road junction turning green at the same time. The potential for chaos is clear. To avoid such disasters, a fundamental requirement is to be able to identify, with absolute certainty, every IoT device on the network.
Almost without exception, a microcontroller (MCU) or other semiconductor integrated circuit (IC) is at the heart of each IoT device. It follows that if you can create a unique identity for each silicon chip, you have a unique identity for each IoT device. Such identities are sometimes described as device ‘fingerprints’ but they’re essentially just a series of random numbers. From an IoT security perspective, that’s not the whole story because if hackers attack the network, which is an increasingly common problem, they must not be able to steal device identities or duplicate them. If they can do so, it’s just a small step to being able to impersonate the devices on the network and even take control of the system to which they’re connected. That might be a car, a factory, or your home.
If, as we’re told by analysts, the IoT will soon embrace 50 billion devices, the challenge is to find a practical way of creating 10s of billions of unique, protectable, identities.
Today, most companies ‘inject’ the identities and keys into IoT devices, which means loading them with random numbers. It’s a process that’s relatively expensive – we estimate anywhere between 50 cents and 2 USD per device – and it sometimes means involving a third party in the IoT supply chain, which potentially adds risk. Two other risk factors need to be taken into account. First, the keys may not be as random as they should be. They may simply be derived from a computer’s clock chip. Second, injected keys need to be stored in a chip’s memory, making them vulnerable to leakage or theft.
Click here to read more ...