Dries Schellekens

Reconfigurable Physical Unclonable Functions - Enabling technology for tamper-resistant storage

A PUF or Physical Unclonable Function is a function that is embodied in a physical structure that consists of many random uncontrollable components which originate from process variations during manufacturing. Due to this random structure a physical stimulus or challenge generates unpredictable responses. Because of their physical properties PUFs are unclonable and very promising primitives for the purpose of authentication and storage of cryptographic keys. Previous work on PUFs considers mainly static challenge-response PUFs. In many applications, however, a dynamic PUF would be desirable, e.g., in order to allow the key derived from the PUF to be updated. We define a new primitive, the reconfigurable PUF (rPUF) which is a PUF with a mechanism to transform it into a new PUF with a new unpredictable and uncontrollable challenge-response behavior, even if the challengeresponse behavior of the original PUF is already known. We present two practical instantiations of a reconfigurable PUF. One is a new variant of the optical PUF, and the other is based on phase change memory. We also illustrate how an rPUF can be used to protect non-volatile storage against invasive physical attacks.

FPGA Vendor Agnostic True Random Number Generator

This paper describes a solution for the generation of true random numbers in a purely digital fashion; making it suitable for any FPGA type, because no FPGA vendor specific features (e.g., like phase-locked loop) or external analog components are required. Our solution is based on a framework for a provable secure true random number generator recently proposed by Sunar, Martin and Stinson. It uses a large amount of ring oscillators with identical ring lengths as a fast noise source - but with some deterministic bits - and eliminates the non-random samples by appropriate post-processing based on resilient functions. This results in a slower bit stream with high entropy. Our FPGA implementation achieves a random bit throughput of more than 2 Mbps, remains fairly compact (needing minimally 110 ring oscillators of 3 inverters) and is highly portable

Remote attestation on legacy operating systems with trusted platform modules

A lot of progress has been made to secure network communication, e.g., through the use of cryptographic algorithms. However, this offers only a partial solution as long as the communicating end points still suffer from security problems. A number of applications require remote verification of software executing on an untrusted platform. Trusted computing solutions propose to solve this problem through software and hardware changes, typically a secure operating system and the addition of a secure coprocessor respectively. On the other hand, timed execution of code checksum calculations aims for a solution on legacy platforms, but can not provide strong security assurance. We present a mixed solution by using the trusted computing hardware, namely the time stamping functionality of the trusted platform module, in combination with a timing based remote code integrity verification mechanism. In this way, we do not require a secure operating system, but at the same time the overall security of the timed execution scheme can be improved.

Reconfigurable trusted computing in hardware

Trusted Computing (TC) is an emerging technology towards building trustworthy computing platforms. The TrustedComputing Group (TCG) has proposed several specifications to implement TC functionalities by extensions to common computing platforms, particularly the underlying hardware with a Trusted Platform Module (TPM). However, actual TPMs are mostly available for workstations and servers nowadays and rather for specific domainapplications and not primarily for embedded systems. Further, the TPM specifications are becoming monolithic andmore complex while the applications demand a scalable and flexible usage of TPM functionalities. In this paper we propose a reconfigurable (hardware) architecture with TC functionalities where we focus on TPMsas proposed by the TCG specifically designed for embedded platforms. Our approach allows for (i) an efficient andscalable design and update of TPM functionalities, in particular for hardware-based crypto engines and accelerators, (ii) establishing a minimal trusted computing base in hardware, (iii) including the TPM as well as its functionalities into the chain of trust that enables to bind sensitive data to the underlying reconfigurable hardware, and (iv) designing a manufacturer independent TPM. We discuss possible implementations based on current FPGAs and point out the associated challenges, in particular with respect to protection of the internal TPM state since it must not be subject to manipulation, replay, and cloning

Helper Data Algorithms for PUF-Based Key Generation: Overview and Analysis

Security-critical products rely on the secrecy and integrity of their cryptographic keys. This is challenging for low-cost resource-constrained embedded devices, with an attacker having physical access to the integrated circuit (IC). Physically, unclonable functions are an emerging technology in this market. They extract bits from unavoidable IC manufacturing variations, remarkably analogous to unique human fingerprints. However, post-processing by helper data algorithms (HDAs) is indispensable to meet the stringent key requirements: reproducibility, high-entropy, and control. The novelty of this paper is threefold. We are the first to provide an in-depth and comprehensive literature overview on HDAs. Second, our analysis does expose new threats regarding helper data leakage and manipulation. Third, we identify several hiatuses/open problems in existing literature.

Analysis and design of active IC metering schemes

Outsourcing the fabrication of semiconductor devices to merchant foundries raises some issues concerning the IP protection of the design. Active hardware metering schemes try to counter piracy of integrated circuits by enforcing the fabrication plant to run an activation protocol with the IP owner for every chip that is produced. In this work, we analyze the protocols of two active hardware metering schemes that were recently proposed by Roy et al. in [1], [2]. We study how these schemes achieve security and based on this, we suggest more efficient and secure versions for both. Finally, we present a simplified and secure activation protocol based on physically unclonable functions.

Embedded Trusted Computing with Authenticated Non-volatile Memory

Trusted computing is an emerging technology to improve the trustworthiness of computing platforms. The Trusted Computing Group has proposed specifications for a Trusted Platform Module and a Mobile Trusted Module. One of the key problems when integrating these trusted modules into an embedded system-on-chip design, is the lack of on-chip multiple-time-programmable non-volatile memory. In this paper, we describe a solution to protect the trusted modules persistent state in external memory against non-invasive attacks. We introduce a minimal cryptographic protocol to achieve an authenticated channel between the trusted module and the external non-volatile memory. A MAC algorithm has to be added to the external memory to ensure authenticity. As a case study, we discuss trusted computing on reconfigurable hardware. In order to make our solution applicable to the low-end FPGA series which has no security measures on board, we present a solution that only relies on the reverse engineering complexity of the undocumented bitstream encoding and uses a physically unclonable function for one-time-programmable key storage. Clearly, this solution is also applicable to high-end series with special security measures on board. Our solution also supports field updates of the trusted module.

Threat Modelling for Security Tokens in Web Applications

In the last couple of years, several European countries have started projects which intend to provide their citizens with electronic identity cards, driven by the European Directive on Electronic Signatures. One can expect that within a few years, these smart cards will be used in a wide variety of applications. In this paper, we describe the common threats that can be identified when using security tokens such as smart cards in web applications. We illustrate each of these threats with a few attack scenarios. This paper is part of a series of papers, written by several academic teams. Each paper focuses on one particular technological building block for web applications.

Secure interrupts on low-end microcontrollers

Embedded devices are increasingly becoming interconnected, sometimes over the public Internet. This poses a major security concern, as these devices handle sensitive information (e.g, banking credentials, personal data) or they are critical for the safety of human lives (e.g, smoke detector, airbag system). Security protocols need to be used in combination with a trusted computing base to ensure that attackers cannot alter the state of the software running on these devices to leak secrets. In this work we focus on the problem of secure interrupt handling, which has not been covered in related work. Our architecture for secure interrupts build on the idea of using simple memory isolation techniques to ensure leakage free processing of secret information on a microcontroller. Three methods of securely handling interrupts are proposed, each exploring a different tradeoff between hardware and software complexity, and interrupt latency. Prototype implementations based on an openMSP430 softcore demonstrate the practical feasibility of our architecture.

Flexible μTPMs through disembedding

With the utilization of TPM-based trusted platforms in real applications, and the subsequent adaption of the specification to the experience gained from such utilization, it increasingly appears that the TPM architecture has some fundamental flaws that result in more and more complex and expensive hardware requirements. In this paper, we propose a new architecture that resets the trust boundary to a much smaller scale, thus allowing for much simpler and more flexible TPM implementations, without sacrificing the security gains from a classical TPM.