Doc.: 11-12-1120r0 Submission September 17, 2012 René Struik (Intrinsic-Id)Slide 1 Secure Key Storage and True Random Number Generation Date: 2012-09-17.

Slides:



Advertisements
Similar presentations
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Advertisements

Trusted Design In FPGAs
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Subthreshold SRAM Designs for Cryptography Security Computations Adnan Gutub The Second International Conference on Software Engineering and Computer Systems.
GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |
Computer Organization and Architecture
Strong Key Derivation from Biometrics
Novel Reconfigurable Silicon Physical Unclonable Functions Yingjie Lao and Keshab K. Parhi Department of Electrical and Computer Engineering University.
International Symposium on Low Power Electronics and Design Low-Power Sub-Threshold Design of Secure Physical Unclonable Functions 1 Lang Lin, 2 Dan Holcomb,
Security with Noisy Data Boris Škorić TU Eindhoven Ei/Ψ anniversary, 24 April
Physical Unclonable Functions and Applications
1 U NIVERSITY OF M ICHIGAN Reliable and Efficient PUF- Based Key Generation Using Pattern Matching Srini Devadas and Zdenek Paral (MIT), HOST 2011 Thomas.
Physical Unclonable Functions
Fuzzy Stuff Lecture 24, Outline Motivation: Biometric Architectures Motivation: Biometric Architectures New Tool (for us): Error Correcting.
1 Design and Implementation for Secure Embedded Biometric Authentication Systems Shenglin Yang Advisor: Ingrid Verbauwhede Electrical Engineering Department.
The Performance of Polar Codes for Multi-level Flash Memories
Doc.: IEEE /770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: Authors: Russ Housley (Vigil Security), et.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Daniel E. Holcomb, Wayne P. Burleson and Kevin Fu
Fuzzy extractor based on universal hashes
 Secure Authentication Using Biometric Data Karen Cui.
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Design and Implementation of a True Random Number Generator Based on Digital Circuit Artifacts Michael Epstein 1, Laszlo Hars 2, Raymond Krasinski 1, Martin.
Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN /09/2010 Sapienza University of Rome.
Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.
Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.
© Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro Computer Security: Principles and Practice Slides.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
1 Convergent Dispersal: Toward Storage-Efficient Security in a Cloud-of-Clouds Mingqiang Li 1, Chuan Qin 1, Patrick P. C. Lee 1, Jin Li 2 1 The Chinese.
1 FIPS 140 Validation for a “System-on-a-Chip” September 27, 2005 NIST Physical Testing Workshop.
Cryptography on Non-Trusted Machines Stefan Dziembowski.
Bit Error Probability Evaluation of RO PUFs Qinglong Zhang, Zongbin Liu, Cunqing Ma and Jiwu Jing Institute of Information Engineering, CAS, Beijing, China.
Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.
1 UCR Hardware Security Primitives with focus on PUFs Slide credit: Srini Devedas and others.
Extracting Robust Keys from NAND Flash Physical Unclonable Functions Shijie Jia, Luning Xia, Zhan Wang, Jingqiang Lin, Guozhu Zhang and Yafei Ji Institute.
Information Security Lab. Dept. of Computer Engineering 182/203 PART I Symmetric Ciphers CHAPTER 7 Confidentiality Using Symmetric Encryption 7.1 Placement.
Chapter 3 Internal Memory. Objectives  To describe the types of memory used for the main memory  To discuss about errors and error corrections in the.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.
10 March 2002 doc.: IEEE /126r0 Bob Huang, Sony ElectronicsSlide 1Submission Project: IEEE P Working Group for Wireless Personal Area Networks.
Possible Testing Solutions and Associated Costs
CHES Viktor Fischer Université Jean Monnet, Saint-Etienne, France Miloš Drutarovský Technical University of Košice,
Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When.
Semiconductor Memory Types
Lecture5 – Introduction to Cryptography 3/ Implementation Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.
TRUSTED FLOW: Why, How and Where??? Moti Yung Columbia University.
When is Key Derivation from Noisy Sources Possible?
Design of Physically Unclonable Functions Using FPGAs
Chapter 5 Internal Memory. contents  Semiconductor main memory - organisation - organisation - DRAM and SRAM - DRAM and SRAM - types of ROM - types of.
Doc.: IEEE /0964r0 Submission September 2010 David Halasz, AclaraSlide 1 Smart Grid and Key Lengths Date: Authors:
The Federal Information Processing Standards (FIPS) Encryption Suite Sean Smith COSC
William Stallings Computer Organization and Architecture 7th Edition
Reusable Fuzzy Extractors for Low-Entropy Distributions
Impregnable Brand Protection For Non-Electronic Products
Aya Fukami, Saugata Ghose, Yixin Luo, Yu Cai, Onur Mutlu
William Stallings Computer Organization and Architecture 7th Edition
William Stallings Computer Organization and Architecture 8th Edition
Jeremie S. Kim Minesh Patel Hasan Hassan Onur Mutlu
William Stallings Computer Organization and Architecture 7th Edition
When are Fuzzy Extractors Possible?
William Stallings Computer Organization and Architecture 8th Edition
Protect Your Hardware from Hacking and Theft
When are Fuzzy Extractors Possible?
William Stallings Computer Organization and Architecture 8th Edition
Presentation transcript:

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id)Slide 1 Secure Key Storage and True Random Number Generation Date: Authors: NameCompanyAddressPhone René StruikIntrinsic-Id BVHigh Tech Campus AE Eindhoven The Netherlands USA: +1 (415) Toronto: +1 (647) Skype: rstruik id.com

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id)Slide 2 Outline 1.Putting Trust in Devices  Conventional Approach  Exploiting “physical” device properties 2.Secure Key Storage via PUFs  Main Idea  Reliability  Randomness  Instantiations 3.True Random Number Generation via PUFs  Main Idea  Randomness Extraction  Seeds via PUFs 5.Conclusions & Future Directions

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id)Slide 3 Putting Trust in Devices Conventional Approach  Trusted implementation of crypto, including side channel resistance  Trusted security policy routines  Secure and authentic key storage  Secure RNG (or RNG seed) This requires persistent, secure key storage What to do if no persistent storage on device? (or, not yet) What to do if attacks target  Key storage location?  Seeds for random number generator? Device AES RNGECC AESKseed(d, Q) Keys Crypto Functions Security Functions Security Policies Key Management Applications Confidentiality, authenticity Authenticity (Some) authenticity

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id)Slide 4 Secure Key Storage – Main Idea Conventional Approach  Persistent, secure key storage Potential approach  Secure key storage ON/OFF button Key K is derived from “device properties” upon device start-up (physically unclonable functions – PUFs) Device OFF AES K Device ON AES K Device OFF AES  Device ON AES K Properties  Persistent, secure key storage required  Potential attacks on key storage in “Device OFF” state The promise…  No persistent, secure key storage needed  No attacks on key storage in “Device OFF” state possible

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id)Slide 5 Secure Key Storage via PUFs  Main Idea  Reliability  Randomness  Instantiations

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id)Slide 6 Secure Key Storage – Reliability of PUFs (1) Basic approach – uniform, exact distribution  Secure key storage ON/OFF button Key K is derived from “device properties” upon device start-up Alleviated constraints – biased, exact distribution Key K is derived from “device properties” PUF value read-out f upon device start-up Assumptions on key K  Key K random  Reliable reconstruction of key K possible Assumptions on PUF f  PUF f high min-entropy  Reliable reconstruction of f possible Device OFF AES  Device ON AES K Device OFF AES  Device ON AES KH f 

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id)Slide 7 Secure Key Storage – Reliability of PUFs (2) Alleviated constraints – biased, exact distribution  Secure key storage ON/OFF button Key K is derived from “device properties” upon device start-up Alleviated constraints – biased distribution, allowing errors Key K is derived from “device properties” PUF value read-out f upon device start-up Assumptions on PUF f  Key f high min-entropy  Reliable reconstruction of f possible Assumptions on PUF f’  Key f high min-entropy  Reliable reconstruction of “baseline” f from read-out f’ Device OFF AES  Device ON AES KH f  Device OFF AES  Device ON AES KH f’  f Dec

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id)Slide 8 Secure Key Storage – Reliability of PUFs (3) Alleviated constraints – biased distribution, allowing errors (details)  Device enrollment h  Subsequent read-out Note: Helper data does leak info on PUF value f, but not (!) where it matters Key K is derived from “device properties” PUF value read-out f upon device start-up Properties  Creates key K:=H(f)  Creates helper data h:=f + c that can be public (c is random word of t- error-correcting code) Properties  Decodes f’ to f from f’ + h=(f’+f)+ c, if f’  f (less than t errors)  Creates key K:=H(f) Device ON AES KH f’ f Dec Device ON AES KH f h Enc Public database

doc.: r0 Submission September 17, 2012 Secure Key Storage – Reliability of PUFs (4) Reliability depends on error sources and error-control codes used Sources of errors with PUF value read-outs  Chip process technology, PUF details  Temperature  Voltage  Time (“aging”) Typical relative errors with PUFs  15% or less Extensive tests with SRAM:  Cypress 65nm/150nm Virage 90nm/130nm Faraday 130nm Error-correcting code optimization trade-offs:  Rate focus: allows use of smaller PUF value  Complexity focus: use small footprint (repetition, Golay, Reed-Muller codes) Typical PUF size (with SRAM)  0.5 kBytes feasible (for 128-bit secret keys)

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id) Secure Key Storage – Randomness of PUFs (1) Randomness Requirement  PUF read-out f should have high min-entropy (then, K:=H(f) makes this key random if key extractor H properly picked )  PUF read-out between different devices should be unpredictable (  50%) PUF example: SRAM Memory Cell (6T) – on next slides Typical min-entropy with SRAM-based PUFs  75% or more (So, 171 SRAM cells have 128-bits of entropy)  Dependency on chip process technology  Smaller technologies tend to have higher min-entropy (  88%) More PUF examples: D-Flip Flop,Buskeeper logic Examples above are all standard semiconductor components  Easy to integrate (no need to introduce new components)  Easy to evaluate (digital read-out)

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id) Secure Key Storage – Randomness of PUFs (2) PUF example: SRAM Memory Cell (6T)

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id) Secure Key Storage – Randomness of PUFs (3) PUF example: SRAM Memory Cell (6T) L

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id) Secure Key Storage – Randomness of PUFs (4) PUF example: SRAM Memory Cell (6T) SRAM Start-up Behavior  Dominant factor is Threshold voltage (Simulation results: 2x more dominant than other parameters 1 ) Source: A. Dargar, “Modeling SRAM Start-up Characteristics For Physical Unclonable Functions,” Delft University of Technology, MSc. Thesis, 2011.

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id) Secure Key Storage – Randomness of PUFs (5) PUF example: SRAM Memory Cell (6T) SRAM Start-up Behavior Strongest inverter determines start-up preference of SRAM cell V DD 0 1 ±Vth NMOS ±Vth PMOS ±Vth NMOS

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id) Secure Key Storage – Randomness of PUFs (6) PUF example: SRAM Memory Cell (6T) SRAM Start-up Behavior Strongest inverter determines start-up preference of SRAM cell V DD 0 1 ±Vth NMOS ±Vth PMOS ±Vth NMOS V DD VT<VT<VT>VT>

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id)Slide 16 True Random Number Generation via PUFs  Main Idea  Randomness Extraction  Seeds via PUFs

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id)Slide 17 True Random Number Generation – Main Idea Recap of secure key storage with PUFs  Device enrollment h  Subsequent read-out Note: Error pattern e:=f’+f is good source of randomness (!) Key K is derived from “device properties” PUF value read-out f upon device start-up Properties  Creates key K:=H(f)  Creates helper data h:=f + c that can be public (c is random word of t- error-correcting code) Properties  Decodes f’ to f from f’ + h=(f’+f)+ c, if f’  f (less than t errors)  Creates key K:=H(f) Device ON AES KH f’ f Dec Device ON AES KH f h Enc Public database

doc.: r0 Submission September 17, 2012 True Random Number Generation – Randomness Seed Entropy of error “side channel” depends on error sources Sources of errors with PUF value read-outs  Chip process technology, PUF details  Temperature  Voltage  Time (“aging”) Typical min-entropy of errors with PUFs  2-4% or more Extensive tests with SRAM:  Cypress 65nm/150nm Typical PUF size (with SRAM)  0.8 kBytes feasible (for 128-bit truly random seeds)

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id)Slide 19 Conclusions and Future Directions

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id)Slide 20 Conclusions  Use of PUFs for secure key storage attractive (  0.5 kBytes for 128-bit keys)  No persistent, secure key storage needed  No attacks on key storage in “Device OFF” state possible  Helper data may be stored outside device (or added later in lifecycle)  Potential other uses  Anti-cloning  True random number generation (  0.8 kBytes for 128-bit true seed) (useful with NIST RNG specifications)

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id)Slide 21 Further Reading Physically Unclonable Functions: 1.Y. Dodis, R. Ostrovsky, L. Reyzin, A. Smith, “Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data,” International Association for Cryptologic Research, IACR ePrint 2003/235, J. Guajardo, S.S. Kumar, G-J. Schrijen, P. Tuyls, “FPGA Intrinsic PUFs and Their Use for IP Protection,” in Proceedings of Cryptographic Hardware and Embedded Systems – CHES 2007, P. Paillier, I. Verbauwhede, Eds., Lecture Notes in Computer Science, Vol. 4727, pp , R. Maes, I. Verbauwhede, “Physically Unclonable Functions: a Study on the State of the Art and Future Research Directions,” in Towards Hardware-Intrinsic Security – Foundations and Practice, Part I, A- R. Sadeghi, D. Naccache, Eds., pp. 3-37, V. van der Leest, E. van der Sluis, G-J. Schrijen, P. Tuyls, H. Handschuh, “Efficient Implementation of True Random Number Generator Based on SRAM PUFs,‘” in Cryptography and Security: From Theory to Applications, Lecture Notes in Computer Science, Vol. 6805, pp , V. van der Leest, B. Preneel, E. van der Sluis, “Soft Decision Error Correction for Compact Memory- Based PUFs Using a Single Enrollment,” to be presented at Cryptographic Hardware and Embedded Security – CHES R. Maes, V. Rozic, I. Verbauwhede, P. Koeberl, E. van der Sluis, V. van der Leest, “Experimental Evaluation of Physically Unclonable Functions in 65 nm CMOS,” in Proceedings of 38th European Solid-State Circuits Conference – ESSCIRC 2012, IEEE, G-J. Schrijen, V. van der Leest, “Comparative Analysis of SRAM Memories Used as PUF Primitives,” DATE 2012.

doc.: r0 Submission September 17, 2012 René Struik (Intrinsic-Id)Slide 22 Further Reading (cont’d) NIST Standards and Guidelines related to RNGs and to Secure Key Storage: 8.NIST SP A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Revised), January 25, NIST SP B, Recommendation for the Entropy Sources Used for Random Bit Generation, Draft, September 6, NIST SP C, Recommendation for Random Bit Generator (RBG) Constructions, Draft, September 6, NIST SP , A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications, May 15, FIPS 140-2, Implementation Guidance for FIPS Pub and the Cryptographic Module Validation Program, July 15, FIPS Pub 140-2, Annex C: Approved Random Number Generators for FIPS Pub 140-2, Security Requirements for Cryptographic Modules, Draft, February 16, NIST SP B, BIOS Protection Guidelines for Servers, Draft, July

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.