Security Primitives IV: PUF-Based Authentication Protocols

Instructor 

Dr. Jim Plusquellic is a professor in the Electrical and Computer Engineering Department at the University of New Mexico and President and CEO, IC-Safety.

Learning Objectives

Authentication between IoT devices is important for maintaining security, trust and data integrity in an edge device ecosystem. The low-power, reduced computing capacity of the IoT device makes public-private, certificate-based forms of authentication impractical, while other lighterweight, symmetric cryptography-based approaches, such as message authentication codes, are easy to spoof in unsupervised environments where adversaries have direct physical access to the device. A compromised IoT device represents a threat to the core network infrastructure because malicious actors can potentially gain unauthorized access and elevated privileges to back-end resources and/or supply network applications with compromised data. Such environments are better served by security primitives rooted in the hardware with capabilities exceeding those available in cryptography-only frameworks. A key foundational hardware security primitive is the physical unclonable function or PUF. PUFs are well known for removing the need to store secrets in secure non-volatile memories, and for providing very large sets of authentication credentials. In this course, we describe PUF-based mutual authentication protocols rooted in the entropy provided by a PUF. As a unique hardware-based random oracle, PUFs can embed cryptographic hardness and binding properties needed for a secure, interactive authentication system.

This micro-certificate course is organized into a set of Units, described as follows:

• Unit 1: Introduction to Authentication: Unit 1 explores authentication basics and modern authentication techniques, namely, Digital Certificate, Shared Key, Token and Hardware-based authentication protocols. The benefits and drawbacks of each technique are presented, with a focus on their application to IoT devices. The unit continues with the steps needed to establish a secure channel with particular focus on transport layer security or TLS. The suite of cryptographic primitives used within the TLS protocol are covered including Diffie-Hellman key exchange, RSA, HMAC, digital signatures and AES. The unit concludes with a discussion on the weaknesses of the TLS protocol, and thus the motivation for next-generation PUF-based schemes, particularly as they relate to the elimination of the certificate authority.
• Unit 2: PUF-Based Authentication: This unit introduces the fundamental characteristics of PUF-based authentication protocols. Based on a strong form of authentication referred to as challenge-response-pairs (CRP). Provisioning or Enrollment is carried out between a device and a trusted authority (TA), where the TA records CRPs for the device in its database. These CRPs can be distributed to other devices to enable off-line authentication. PUF-based authentication can either require a fuzzy match or an exact match to the exchanged response bitstrings when devices authenticate. Use of cryptographic primitives such as SHA can be used to obscure response bitstrings as a means of preventing model-building attacks. Finally, strong versus weak PUF trade-offs are discussed.
• Unit 3: Error Correcting Codes and Fuzzy Extractors: Unit 3 provides an overview of error correction codes or ECC and discusses the different types with worked examples of Hamming and BCH codes. The use of ECC in PUF-based authentication protocols is described, as well as the differences associated with using ECC for improving reliability in communication verses their use for improving reliability in regenerating PUF responses. The benefits and pitfalls of using ECC for PUFs is discussed, an example PUF-based message exchange protocol is presented.
• Unit 4: PUF-Based Authentication Protocols: This unit discusses the fundamental characteristics and limitations of PUF-based authentication protocols. It covers the classical models used in recently proposed PUF-based authentication protocols. A very simple and very lightweight model is described as the gold standard architecture, as well as its requirements to be classified as a secure authentication protocol. Four additional protocols are described that address security issues of the preceding protocols, The benefits and drawbacks of each are described in detail and how they serve with regard to enhancing the security properties of the protocol. The unit closes with a look at advanced, light-weight authentication protocols that possess special attributes including privacy-preservation and anonymity./li>
• Unit 5: Supplemental Lecture: Unit 5 presents a hardware example that incorporates a physical unclonable function (PUF) called the Shift-Register Reconvergent-Fanout (SiRF) PUF-TRNG, that is presented in Unit 4, for generating encryption keys, authentication bitstrings, and nonces, for securing communication between chiplets within a 2.5D or 3D package and across components of the sytem architecture.

Prerequisites:

• MEST Micro-certificate: Security Primitives I – Introduction to Physical Unclonable Functions
• MEST Micro-certificate: Security Primitives II – Physical Unclonable Function Architectures (recommended)

Target Audience

Designed for U.S. citizens working in the Department of War, Government, or Government-affiliated employees, industry, as well as college students and faculty. Must register with your organizational email, and will be notified of acceptance within one week of the course start date.

Biography

Professor Plusquellic received his M.S. and Ph.D. degrees in Computer Science from the University of Pittsburgh in 1995 and 1997, respectively. He is currently a professor of electrical and computer engineering at the University of New Mexico. His research interests are in the area of nano-scale VLSI and include security and trust in IC hardware, embedded system design, supply chain and IoT security and trust, silicon validation, design for manufacturability, and delay test methods. Professor Plusquellic received an “Outstanding Contribution Award” from the IEEE Computer Society in 2012 for co-founding and his contributions to the Symposium on Hardware-Oriented Security and Trust (HOST), and again recently in 2017 for “Co-Founder of and providing Outstanding Contributions to the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST) for the Past Ten Years 2008-2017”. He is the Trust and Assurance Lead for ASU’s ME COMMONS (SWAP) Hub since July 2024. He served as General Chair for HOST in 2010, as Program Chair for HOST in 2008, 2009, and 2020, and as panelist and moderator for panels at HOST 2020. He has served as Associate Editor for Transactions on Computers and is
currently serving as Editor-in-Chief of Hardware Security for Cryptography, MDPI. He has recently been inducted into the HOST Hall-of-Fame and has authored or co-authored three book chapters for Springer Link on the topics of PUF-based Authentication and Hardware Trojan Detection. He received the “10 Years of Continuous Service Award” from the International Test Conference, a Best Paper Award from VTS, an ACM Distinguished Service Award from SIGDA, and two Austin CAS Fellow Awards from IBM. He received the “Albuquerque lab-to-business accelerator” award in 2016, the “2014 Innovation Award” from the Science and Technology Center at the University of New Mexico, was a “Featured Entrepreneur” within the School of Engineering, and has multiple patents and provisional applications filed with the US. Patent and Trademark Office. Professor Plusquellic is President and CEO of IC-Safety, LLC, and a consultant for Enthentica Inc., both start-ups in the hardware security and trust space. He has published more than 140 refereed conference and journal papers. He is a Golden Core Member of the IEEE Computer Society.