050_EETE-VF

EETE SEPT 2013

Publisher André Rousselot +32 27400053 andre.rousselot@eetimes.be Editor-in-Chief Julien Happich +33 169819476 julien.happich@eetimes.be EDITORS Nick Flaherty +44 7710236368 nick.flaherty@eetimes.be Christoph Hammerschmidt +49 8944450209 chammerschmidt@gmx.net CONTRIBUTING EDITORS Paul Buckley +44 1962866460 paul@activewords.co.uk Jean-Pierre Joosting +44 7800548133 jean-pierre.joosting@eetimes.be Circulation & Finance Luc Desimpel luc.desimpel@eetimes.be Advertising Production & Reprints Lydia Gijsegom lydia.gijsegom@eetimes.be Art Manager Jean-Paul Speliers Acounting Ricardo Pinto Ferreira Regional Advertising Representatives Contact information at: http://www.electronics-eetimes.com/en/ about/sales-contacts.html european business press European Business Press SA 7 Avenue Reine Astrid 1310 La Hulpe Tel: +32 (0)2 740 00 50 Fax: +32 (0)2 740 00 59 www.electronics-eetimes.com VAT Registration: BE 461.357.437 RPM: Brussels Company Number: 0461357437 © 2013 E.B.P. SA ELECTRONIC ENGINEERING TIMES EUROPE is published 11 times in 2013 by European Business Press SA, 7 Avenue Reine Astrid, 1310 La Hulpe, Belgium Tel: +32-2-740 00 50 Fax: +32-2-740 00 59 email: info@eetimes.be. VAT Registration: BE 461.357.437. RPM: Nivelles. Volume 15, Issue 8 EE Times P 304128 It is is free to qualified engineers and managers involved in engineering decisions – see: http://www.electronics-eetimes.com/subscribe Copyright 2013 by European Business Press SA. All rights reserved. P 304128 Physically unclonable functions - ready to serve smart card security? By Heiner Fuhrmann it is the nature of things. Put a product into the limelight with exceptional security promises and you draw the attention of both potential customers, and attackers. This is what has happened when Physically “Unclonable” Functions (PUF) - used to extract individuality from semiconductors - were recently promoted for the high end chip card market as “100 % secure”, “unhackable” “silicon fingerprints.” University students and engineers set out to prove the vulnerability and ease of attack of PUF. The resulting plethora of attacks should be taken very seriously, as they show that PUF in its current state is not ready to serve applications with high security demand such as payment cards and government identification documents. For this class of well-established applications, PUFs today do not increase security at all. Worse, adding a weak link to a formerly secure system can render the whole system insecure. The concept of PUF is not new. It originated in the 1980s but gained attention in the smart card market only in the 2010s. It refers to specific characteristics of semiconductor chips that can be used to generate chip-individual keys or functions like fingerprint biometry in the human world. This is due to the fact that chips - based on the manufacturing process - differ slightly from each other. These small deviations have no relevant influence on proper function of the chip but allow the derivation of unique keys. PUF is arguably a creative way to provide uniqueness in electronic systems that do not have the means to securely store keys, such as pure logic products that come without non-volatile memory (NVM). But one must look closely at the boundary conditions before delegating security critical functionality to PUF technology. Particularly the term “unclonable” is overreaching and raises high expectations that will be disappointed. Pursuant to the exaggerated security claims for PUF in smart card applications, numerous attacks on the technology have been published, and the stream of papers still swells (see some examples at http://www.infineon. com/Literature_PUF_attacks). Early this year researchers from the Technical University of Berlin demonstrated how to actually clone a Physically “Unclonable” Function in practice in only a few hours. This was achieved with standard university equipment and applied to the most wide spread PUF implementation, which uses SRAM memory cells as the source for the chip individual key material. Additionally, an array of well-known attack classes has been successfully deployed against PUF implementations. These include side channel attacks (using the unintended leakage of secret information), fault attacks and physical manipulation of the chip. Manipulated PUF implementations have also been identified as a potential gateway for the introduction of Trojan Backdoors into security chips that are manufactured in typical mass production processes. In this case an assumed security function would in fact turn out to be a non-identifiable entrance for invaders. To sum it up, secure identification of semiconductor products is an important functionality and several technical implementations are already available or under research for multiple application fields. Physically “Unclonable” Functions are one specific way to address this challenge under certain boundary conditions such as the absence of secure key storage and low security requirements of the application in question. However, the steadily growing evidence of severe security weaknesses of current PUFs clearly forbids using this technology for applications with high security demand such as payment and government identification. Dr. Heiner Fuhrmann is heading the product marketing and technical marketing of the Government ID Business Line at Infineon Technologies AG – www.infineon.com – He can be reached at SiliconIdentity@infineon.com 50 Electronic Engineering Times Europe September 2013 www.electronics-eetimes.com


EETE SEPT 2013
To see the actual publication please follow the link above