Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on.

Slides:



Advertisements
Similar presentations
Trusted Design In FPGAs
Advertisements

Lecture 5: Cryptographic Hashes
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Physical Unclonable Functions and Applications
1 U NIVERSITY OF M ICHIGAN Reliable and Efficient PUF- Based Key Generation Using Pattern Matching Srini Devadas and Zdenek Paral (MIT), HOST 2011 Thomas.
Physical Unclonable Functions
Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
Cryptography Basic (cont)
Chapter 5 Cryptography Protecting principals communication in systems.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
SSH Secure Login Connections over the Internet
© Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro Computer Security: Principles and Practice Slides.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Secure storage of cryptographic keys within random volumetric materials Roarke Horstmeyer 1, Benjamin Judkewitz 1, Ivo Vellekoop 2 and Changhuei Yang 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Lecture 11: Strong Passwords
1 UCR Hardware Security Primitives with focus on PUFs Slide credit: Srini Devedas and others.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Chapter 21 Public-Key Cryptography and Message Authentication.
NSRI1 Security of Wireless LAN ’ Seongtaek Chee (NSRI)
Physically Unclonable Function– Based Security and Privacy in RFID Systems Leonid Bolotnyy and Gabriel Robins Dept. of Computer Science University of Virginia.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
DIFFERENTIAL CRYPTANALYSIS Chapter 3.4. Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication.
Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?
Chapter 7 Confidentiality Using Symmetric Encryption.
Encryption No. 1  Seattle Pacific University Encryption: Protecting Your Data While in Transit Kevin Bolding Electrical Engineering Seattle Pacific University.
Lecture 2: Introduction to Cryptography
Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Focus On Bluetooth Security Presented by Kanij Fatema Sharme.
Data Integrity Proofs in Cloud Storage Author: Sravan Kumar R and Ashutosh Saxena. Source: The Third International Conference on Communication Systems.
多媒體網路安全實驗室 Anonymous Authentication Systems Based on Private Information Retrieval Date: Reporter: Chien-Wen Huang 出處: Networked Digital Technologies,
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Lecture Topics: 11/29 Cryptography –symmetric key (secret key) –public/private key –digital signatures.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
Design of Physically Unclonable Functions Using FPGAs
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
Real-life cryptography Pfeiffer Alain.  Types of PRNG‘s  History  General Structure  User space  Entropy types  Initialization process  Building.
Software Security Seminar - 1 Chapter 2. Protocol Building Blocks 발표자 : 최두호 Applied Cryptography.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Fourth Edition by William Stallings Lecture slides by Lawrie Brown
SSH: SECURE LOGIN CONNECTIONS OVER THE INTERNET
Physical Unclonable Functions and Applications
Pseudorandom Numbers Network Security.
Presentation transcript:

Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on Trustworthy Embedded Devices, San Francisco, May ACES Lab, Rice University *Computation Structures Group, MIT

Traditional digital key-based authentication Keys stored in non-volatile memory – Verifier sends random number (challenge) – Prover signs the number by it’s secret key and sends a response Limitation – Extra cost of non-volatile memory – Physical and side channel attacks – Intensive cryptographic algorithms 2 Challenge VerifierProver

Physical unclonable functions (PUFs) PUFs based on the inherent, hard to forge, physical disorders Two major types*: – Weak PUF – Strong PUF 3 *Ruhrmair, et al., Book chapter in ‘Intro to Hardware Security and Trust’, Springer’11

Security based on PUFs: Weak PUFs Also called Physically Obfuscated Keys (POKs) Limited Challenge-Response Pairs – Based on ring-oscillators Generate standard digital key for security apps When challenged by one (or very few) fixed challenge(s) generates Response(s) depending on its physical disorder Response(s) is used to generate secret key Intensive cryptographic algorithm is still needed 4 Ruhrmair, et al., Book chapter in ‘Intro to Hardware Security and Trust’, Springer’11

Strong PUFs* Directly used for challenge response authentication Provide large Challenge-Response Pairs (CRPs) Often exponential w.r.t. system elements Neither an adversary nor manufacturer should correctly predict the response to a randomly chosen challenge with a high probability** 5 *Ruhrmair, et al., Book chapter in ‘Intro to Hardware Security and Trust’, Springer’11 **Gassend, et al., CCS’02

Delay-based Strong PUF Compare two paths with an identical delay in design*, ** Each challenge selects a unique pair of delay paths – Random process variation determines which path is faster – An arbiter outputs 1-bit digital response – Multiple bits can be obtained by either duplicate the circuit or use different challenges … c-bit Challenge Rising Edge 1 if top path is faster, else 0 DQ G Response *Suh and Devadas, DAC *Gassend, et al., SAC’03 **Lee, et al., VLSI Symp’04

An arbiter PUF can be modeled easily* Fast modeling  compromised security ** Model building 7 * Majzoobi, Koushanfar, Potkonjak, TRETS’08 **Ruhrmair, et al., CCS’10

Lightweight safeguarding of PUFs Protect against machine learning attacks by Blocking controllability and observability* 1.Transform challenges Input network 2.Block controllability 3.Block observability Output network * Majzoobi, et al., ICCAD ‘08 8

XORed delay-based PUF Block observability by lossy compression Swapping the challenge order to improve statistical properties* 9 *Majzoobi, et al., ICCAD ‘08

XORed delay-based PUFs Improvement in randomness of responses Strict Avalanche Criterion – Any transition in the input causes a transition in the output with a probability of 0.5 Balances the impact of challenge on output 10

Model building attack on Xored-PUF Use XORed PUFs to guard against modeling Harder, but still breakable * – Logistic regression, evolutionary strategies – Two order of magnitude more CRPs needed 11 *Ruhrmair, et al., CCS’10

Problem with just Xoring Still breakable Cannot increase XOR layers indefinitely Accumulates error – 5%  20% for 4 XOR A solution* to guard against modeling while robust against errors – Using error correction codes (ECC) and hashing – Computationally intensive! – Not suitable for low-power embedded devices 12 *Gassend, et al., CCS’02

Desired properties of protocol Robust against model building attacks Robust against PUF errors Ultra low-power – No Hashing – No error correction codes 13

14 Slender PUF Protocol

Communicating parties Prover – Has PUF – Will be authenticated Verifier – Has a compact soft model of the PUF Compute challenge/response pairs – Will authenticate the prover 15 Challenge VerifierProver

Xored delay-based PUF model PUF secrets – Set of delays The secret sharing is performed initially Electronic fuse burned to disable access* 16 Probing here for model building *Majzoobi, Koushanfar, Potkonjak, TRETS’08

Malicious parties Dishonest prover – Does not have access to the PUF – Wants to pass the authentication Eavesdropper – Taps the communication between prover and verifier – Tries to learn the secret Dishonest verifier – Does not have access to the PUF soft model – Tries to actively trick the prover to leak information 17

Slender PUF Protocol 18 Verifier Prover

Slender PUF Protocol 19 Verifier Prover

Slender PUF Protocol 20 Verifier Prover

Slender PUF Protocol 21 Verifier Prover The same seed for both sides Random if only one of them is honest

Slender PUF Protocol 22 Verifier Prover PRNG Generate challenge stream from seed The same challenge for both sides

Slender PUF Protocol 23

Slender PUF Protocol 24

Slender PUF Protocol 25 PUF modeling error

26 The index is not transmitted

27 It reveals minimum informationn about original response sequence

Model building attacks Set L sub = 500, L = % threshold for authentication  – 99% accuracy in modeling XORed PUF attack: 500,000 CRPs needed 500,000 /500=1000 rounds needed He doesn’t have ind  … 28

Brute-force modeling attack Set L sub = 500, L = 1024 – /500=1000 rounds of protocol needed – In each one, ind is unknown – /500 = models needed to be built Strict avalanche criteria to avoid correlation attacks

Guessing attack Dishonest Prover Honest Prover – P err : PUF error rate 30

Replay attack Eavesdropping and replying the responses Nonce scheme prevents it If prover and verifier nonces are 128-bit: – Size of database for 50%: Very low probability! 31

Implementation Same challenge streams should not be used We need : – PRNG (pseudo random number generator) Challenge stream generation – TRNG (true random number generator) Nonce Index of substring (ind) ind is generated first  – PUF is only challenged when necessary 32

Slender PUF protocol: System overview 33

TRNG and PRNG TRNG: – PUF based – Based on flip-flop meta- stability 34 M. Majzoobi, et al., CHES, 2011 PRNG: Need not to be cryptographically secure LFSR is enough

Slender PUF Protocol Previously known protocol*, just SHA-2 Slender PUF Overhead comparison 35 *Gassend, et al., CCS’02

Conclusions – Authentication protocol based on PUFs – Protect against model building – Revealing a partial section of the PUF responses Based on string matching – Resilient against PUF error, without: – Error correction – Hashing – Exponentiation 36

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.