To PUF or Not to PUF

By Chad Cox

Production Editor

Embedded Computing Design

July 07, 2023

Story

In 2022, the US and EU passed upcoming cybersecurity acts with the hope of implementing and enforcing the new laws in 2024.  IoT device makers will need to shift their concerns from “time to market” to “ensuring security.” One option to create a suitably secured device within a critical system is to use digital fingerprints for ICs, using physically unclonable functions (PUF). Utilizing PUF technology, designers can implement unique identifications for every chip produced. Intrinsic-ID is one of the pioneers of PUF technology and leverages SRAM PUF that syncs with startup protocols of SRAM memory.

The nature of implementing SRAM is that it is a volatile memory that loses stored assets when power is removed. When power is restored, the SRAM creates a completely new sequence of zeroes and ones.  Vincent van der Leest, Director Product Marketing, Intrinsic-ID, said, “The random pattern is actually pretty stable when you power up the same chip over and over again.” The algorithms created by Intrinsic-ID change the general fingerprint in SRAM into a stable and random cryptographic root key configuring the foundation for the root of trust.

The Device is the Key

Through conversations with customers, Intrinsic-ID found that the biggest requirements in complying with the upcoming cybersecurity laws are security, flexibility, and cost. SRAM PUF keys do not need to be provisioned externally into a device because the keys come from the device. According to Vincent, “When you use SRAM PUF technology, there's never any sensitive data in non-volatile memory. That means that all the sensitive data that you have on your device could also be additional keys, or it could be sensitive IP, or whatever. You can encrypt this with the keys that are derived from the PUF,” and with the SRAM’s volatile memory, “no one can ever get to the data, no one can ever copy the data, or copy the keys from one device to the next.”  Intrinsic-ID’s PUF technology increases security in a device so much so that the US government and its contractors are utilizing the technology as it is fully certified for US government and defense work.

The SRAM PUF technology does not utilize any key provisioning or secure storage and encompasses a wide flexibility adding various vendors within the supply chain. Because no additional storage is needed, there is never a need to add additional components, cutting down on the complexity of the device. Intrinsic employs general off-the-shelf devices in standard supply chains for an even higher flexibility.

Ain’t Got No Time for This

The time is running out for device makers to take a deep look at their security. With the forthcoming legislation, manufacturers may be held liable if their device becomes unstable. The described PUF technology aids in certification up to the federal level, ensuring that devices will pass industrial standards such as the National Institute of Standards and Technology (NIST) certification.

Certifications include NIST CAVP, NIST SP800-90A, and B for random numbers. Deployed devices that currently use Intrinsic-ID’s technology have been certified with other standards including EMVCo for payment, common criteria up to a level of EAL6 plus, PSA, and IOXT.

Don’t Miss the Zign

Intrinsic-ID has developed a new embedded software security solution (Zign), for hardware-based security anchors with strong cryptographic keys and random numbers, allowing all IoT devices to encrypt data and secure communications. Zign is based on Intrinsic-ID’s PUF software technology, and as it receives an SRAM fingerprint from a device, it runs the Intrinsic-ID algorithm. This creates cryptographic root keys on the component without ever having keys exported or viewed somewhere outside of the designated safe place.

As the SRAM PUF functions within Zign, the NIST certified cryptographic algorithms are joined by other security algorithms including AES, public key cryptography based on elliptic curves, and PKI elements for generating and signing certificates on devices.

Functioning PUF

Intrinsic-ID has already worked with a customer that needed its device to reach the highest level of security. The unmentioned company had two choices, design a brand-new device to meet certification levels, or enhance the security within its existing hardware. The customer realized it had another choice, to enhance its product without any changes. They accomplished this by adding Intrinsic-ID’s all software-based PUF solution, giving them the highest level of certified security with a much lower cost.

 

Chad Cox. Production Editor, Embedded Computing Design, has responsibilities that include handling the news cycle, newsletters, social media, and advertising. Chad graduated from the University of Cincinnati with a B.A. in Cultural and Analytical Literature.

More from Chad