Wael Adi

Combined Web/mobile authentication for secure Web access control

Previous Web access authentication systems have used either the Web or the mobile channel individually to confirm the claimed identity of the remote user. Both approaches proved to be insecure when used in isolation. An investigation is presented into the enhanced security of a new combined Web/mobile authentication system. The hybrid system enables a strong authentication by augmenting the traditional Web-based username/password approach with a mobile-based challenge/response authentication. Experiments show that the combined system is relatively immune to eavesdropping attacks and provides a trade-off between security and usability of the remote authentication system. The system is promising for current as well as for future 3G mobile and pervasive computing environments [A. Al-Qayedi et al., 2003].

VLSI design exchange with intellectual property protection in FPGA environment using both secret and public-key cryptography

With the advent of multi-million gate chips, field programmable gate arrays (FPGAs) have achieved high usability for design verification, exchange, test and even production. Adding to this is the possibility of reusing readily available licensed IP to shorten the design cycle. A major concern for IP owners is the possible over-deployment of the IP into more devices than originally licensed. In this paper, we propose a system based on both public-key and secret-key cryptography embedded in a secured design exchange protocol for protecting the rights of the IP owner. The system consists of hardware-supported design encryption and secured device authentication protocols. Design encryption based on secured device identification ensures that the IP can only be deployed into explicitly identified and agreed upon devices. The system uses a combination of secret and public-key cryptographic functions devised for an uncomplicated trustable design exchange scenario. The public-key functions use modular squaring (Rabin lock) on the FPGA chip instead of exponentiation to reduce the hardware complexity.

Bio-Inspired Electronic-Mutation with genetic properties for Secured Identification

One essential security weakness in many modern systems is the difficulty of managing secured and provable-identities for all participating entities. In this work we introduce a process for generating a secret provable identity for electronic devices. The identity is created through a random process that is triggered as an electronic-Mutation (EM) once at a user-defined time after device manufacture. The result should be a provable, certified, secret, unclonable, and unchangeable identity that can serve as an electronic DNA (e-DNA) for the device. The identity is self- created similar to naturally occurring Physical Unclonable Functions (PUF), such that it is infeasible even for the unit manufacturer to create duplicate identities. The proposed identity should in difference to PUF evolve through the lifetime of the device allowing for easier detection of fraud attacks. The identity should also possibly diffuse in all system entities similar to the diffusion of biological DNA in all entities of a living organism. Many legal and criminal issues plaguing mass public-commerce, e-Government and mobile systems could be easily resolved through such an identification technology.

Novel secret-key IPR protection in FPGA environment

Some VLSI IP owners prefer to leave programming their IP into a field programmable gate array (FPGA) to the end customer. A major concern is the possible over-deployment of the IP into more devices than originally licensed. In this paper, the authors proposed a system based on secured handshaking with encrypted device and design authentication information ensuring that the IP can only be deployed into agreed upon devices. The system consists of hardware-supported design encryption and secured authentication protocols.

Combined HW-SW adaptive clone-resistant functions as physical security anchors

Modern resilient security systems require a hard to clone physical module integrated in core system units as basic security anchors. Physical Unclonable Functions (PUFs) were introduced in the last decade as possible physical unclonable security anchors. So far, PUFs as analog units exhibited relative inconsistency due to variations in the operating conditions such as temperature, supply voltage, aging and other possible environmental effects. This lead to relatively high units implementation complexity. This work introduces a consistent pure-digital PUF concept. The proposed digital PUF is a combined Hardware-Software (HW-SW) module, embedded in a System-on-Chip (SoC) device. The key idea is based on triggering an internal true random process, which creates a hard to predict combined digital HW-SW module. Modern Field Programmable Gate Array (FPGA) SoC-devices often incorporate embedded processors in addition to self-reconfiguring hardware cell-arrays. Such combined self-reconfiguring HW-SW architectures allow practical self-creation of clone-resistant digital PUF modules. As pure-digital units, they exhibit negligible sensitivity to both operation conditions and aging factors. We postulate that self-creation of pure-hardware architectures is highly complex in self-reconfiguring FPGA environment. Therefore a combination of both hardware and software is expected to allow more sophisticated and secure functions with higher robustness against Side Channel Attacks (SCAs). It is assumed that any system is basically clonable, if sufficient financial and technical investments are offered. In the proposed concept, each created digital PUF results with its own unknown and hard to predict individual structure. Therefore, to clone any single digital PUF, an individual attack procedure is needed. In that case, mass-cloning tends to become impractical. As a result, cloning attacks on the proposed system are not economic and hence practically useless. The resulting proposed system, when adequately implemented, offers a practical low-cost security anchor for a large class of modern applications.

Cocoon-PUF, a novel mechatronic secure element technology

A new Physical Unclonable Function (PUF) technology is proposed. The technology is targeting the implementation of a highly secure unclonable electromechanical device. The resulting system includes a physical unit providing identification properties mutually-dependent on both microelectronic and mechanical components. The technology is based on combining very high frequency wave propagation, scattering and reflection based on dielectric and/or magnetic particles or composites (potted) in matrices of a closed medium with mechanical spatial factors related to encapsulation material. It is assigned the name Cocoon-based Physical Unclonable Function (Cocoon-PUF). The resulting fingerprint properties are related to the transmitters and sensors integrated on the chip die, the spatial randomized distribution in the encapsulation matrix (potting material), offering unpredictable and hence practically impossible to clone or duplicate mechatronic units. The targeted Cocoon-PUF is to build rigging-resistant non-silicon based mechanical footprints in tamper resistant packaging. Additionally, the proposed technology fits to the tendency and requirement of protection against Electro-Magnetic-Pulse (EMP) surges (as TEMPEST design), which can be seen as an additional pleasant side effect of Electro-Magnetic-Compatibility (EMC) of the Cocoon protection principle. The paper presents the basic technology principles and shows first promising prototyping results of that new technology.

Fast Burst Error-Correction Scheme with Fire Code

A fast burst error-correction decoder is proposed. It can be used for high-speed decoding of a burst error-correcting Fire code having the generator polynomial G(x) = (1 + xC)p(x), where p(x) is irreducible and of degree m and the degree of G (x) is r = c + m, r being the number of redundancy bits. The decoder needs at most r -1 cycles to find both the error burst pattern and its location, whereas conventional decoding needs up to n cycles [1] (n is the number of bits in a codeword), or a fraction of n [2]. The decoding scheme is based on new aspects of the structure of the error syndrome and the parity check matrix of Fire code recently observed by the author. These aspects allow partial syndrome processing in the decoding process. This makes hardware costs relatively low and enables very high-speed decoding. The decoding scheme makes use of modern mapping devices such as programmable read only memories (PROMs) and field programmable logic arrays (FPLAs), resulting in relatively compact and cheap hardware. The encoder/decoder could probably be implemented as a single-chip LSI circuit.

Deploying FPGA self-configurable cell structure for micro crypto-functions

This paper discusses the use of features of modern FPGA designs to enable the implementation of highly secure micro crypto-functions. The paper shows a scenario to integrate a dynamic/evolving cipher function in a reconfigurable FPGA architecture. The proposed system offers a practical methodology for building such functions efficiently in modern reconfigurable FPGAs. The resulting cipher, which is secret but still operational and self-evolving, appears to be quite promising for many modern security applications requiring high security, stability and robustness.

Wallet Based E-Cash System for Secured Multi-hop Cash Exchange

The majorities of contemporary proposed digital cash techniques have many disadvantages in being directly or indirectly account based or not anonymous and offer no offline peer-to-peer transferability. This is for the majority of users - in general - not acceptable. Such an approach fails to replace the role of cash in e-commerce systems. The basic result of this research is a new prepaid multi- hop (transferable) cash payment system solution based on hardware technology implementing an electronic wallet (e- wallet) to accommodate digital coins. Transparent cash transfer (exchange) protocol software can serve at any network device as Internet host, mobile device or any future general purpose communication link. The result is a peer to peer (P2P) electronic cash transfer equivalent to a physical cash transfer in public use. This e-cash system could be a possible alternative to the physical coins & bills. It is a multi-purpose inter-operable digital cash payment scheme for domestic usage. The system is suitable for low value (micro payments in the 1 cent range), as well as for larger payments, regardless of the communication platform or transmission medium.

Secured multi-identity mobile infrastructure and offline mobile-assisted micro-payment application

Wireless networks are increasingly deployed in every-day services. The mobile device is becoming a part of the personal identity for its owner. New mobile standards, such as 3GPP are offering more and more mobile user application areas. It seems very useful to deploy the mobile device itself to support its owners security and his applications. As mobile devices have no secured identity in current standards, we propose first a secured device multi-identity infrastructure. This infrastructure would enable users to accommodate provable identities without involving the network operator. These physical provable identities stick physically to the device hardware and can be securely authenticated over the whole network. We proposed in W. Adi, a global provable mobile identity mechanism. This concept is extended to multi-identity profile to establish a powerful mobile device security infrastructure. Based on this infrastructure, a new mobile assisted offline micro-payment system is presented. The system is equivalent to a pre-certified payment, which can be offline verified. The proposal deploys the mobile device multi-identity capability to prove the validity and eligibility of an issued electronic payment to a merchant. The merchant can verify (offline) that the customers bank entitled the mobile device holder to issue an electronic payment within given limits. The system exhibits public key facilities without traditional high complexity public key processing and does not involve online operations. That makes the proposal especially more efficient for wireless environment. The developed multi-identity mechanisms open also new horizons for the use of such infrastructure to secure other new similar applications.