//php echo do_shortcode(‘[responsivevoice_button voice=”US English Male” buttontext=”Listen to Post”]’) ?>
When everything is connected, everything is at risk. The proliferation of internet of things (IoT) devices for smart homes has raised security and privacy concerns to their users. By implementing a hardware root of trust, the authenticity, integrity and confidentiality of devices are enforced, and smart homes are protected against would-be attackers.
Security in IoT should never be an afterthought. Over the years, attacks have become more frequent, sophisticated, devious and targeted. From the voice assistant to the baby monitor to the smart-heating system, billions of smart-home devices are now vulnerable to endpoint intrusions.
To establish a foundation of trust, IoT device makers need to get identities and keys into their devices and keep these assets secure. Intrinsic ID, a spinout of Royal Philips Electronics, has developed IP solutions based on physical unclonable functions (PUFs) to secure connected devices.
With the explosion of connected IoT devices per household, it has become critical to ensure data security and privacy preservation. Every device potentially represents an entry point for malicious intrusion, from the device itself to the network it is connected to.
A hardware root of trust is the foundation for protecting smart-home endpoints and services. It establishes an anchor point for the chain of trust by creating a unique, immutable and unclonable identity to authorize a device in the IoT network.
For many years, PUFs have been deployed as a hardware root of trust. A PUF is a physical structure from which a device-unique and unclonable cryptographic key is created. It leverages the deep submicron variations that occur naturally during the chip-manufacturing process and gives each transistor slightly random electrical properties.
There are different ways to use a PUF to secure a device. Eindhoven, Netherlands-based Intrinsic ID has built a foundation of trust based on static random-access memory (SRAM) PUFs.
In an interview with EE Times Europe, Pim Tuyls, CEO of Intrinsic ID, explained, “To build a root of trust in a very secure and scalable way, we extract the credentials from the hardware of the chip itself. Every chip is physically different due to the process by which it is made.”
Tuyls continued, “When a chip is made, silicon is doped to make sure you get some electrical properties in the transistors. That doping cannot be 100% controlled, and the result is that every transistor on the chip has a unique threshold voltage.”
The transistors’ threshold voltages are different, but not too different or else the chip would not work electrically. And when the physical properties of the transistors change, they all change more or less with the same value.
When the SRAM is powered on, the randomness is expressed in the startup values (0 or 1) of SRAM cells, and the startup values create a highly random and repeatable pattern that is unique to each chip, Tuyls explained. There is SRAM in every digital chip, and SRAM is available in every node. When the power comes up, every cell chooses a unique and random pattern of 0 and 1. This pattern results in a silicon fingerprint that serves as a unique identifier for the chip and builds the foundation of a security subsystem. And when the device is powered off, no secret key can be found in any memory. The root key is “invisible” to hackers.
“SRAM is volatile, which means that if you power off the chip, all values disappear,” Tuyls said. “There is no trace in the memory, so even if hackers break open the device, they will not find any secrets. They are protected from the physics, and that brings security levels substantially higher to what has been possible in legacy systems.”
SRAM PUFs do not store a key, and what is not stored cannot be stolen, cloned and shared. SRAM PUFs protect secrets from reverse-engineering attacks. They are also flexible, scalable, easy to use and low-cost, Tuyls claimed.
Extracting an encryption key
The SRAM PUF is used to derive a cryptographic key unique to the device. Because the response from the SRAM PUF is a noisy fingerprint, a post-processing algorithm is needed to turn the silicon fingerprint into a high-quality and secure cryptographic key. This is done with Intrinsic ID’s IP.
“We have developed an algorithm that extracts from the startup values of the SRAM a unique and very stable sequence—‘unique’ because no other chip is the same and ‘stable’ because, whether you use that chip in Phoenix or in Alaska, or 25 years from now, you will always end up with the same sequence,” Tuyls said.
The algorithms are about error correction to extract exactly the cryptographic key every time and under all environmental circumstances. They are also about entropy extraction, or privacy amplification, to make sure the cryptographic key is fully random.
In smart homes, cryptographic keys are needed to verify the device’s identity, secure the communication between devices and encrypt sensitive data at rest as well as in transition. They create a chain of trust for IoT devices.
Ensuring reliability over time
All electronic devices gradually change over time. They simply age, and the main degradation effect that leads to SRAM failure is negative-bias temperature instability (NBTI). It causes a gradual increase in the threshold voltage.
If no anti-aging countermeasures are taken, SRAM PUFs tend to become less reliable.
“With our SRAM PUF, we can use the NBTI phenomenon to our advantage by writing a specific pattern into the SRAM such that every SRAM cell ages to its preferred startup value,” Tuyls said. “We can make an SRAM age in the right direction to decrease the noise and guarantee its reliability over long periods of time.”
The behavioral characteristics of an SRAM PUF depend on the environment to which it is exposed, such as ambient temperature, supply-voltage variation and electromagnetic interference. Intrinsic ID claims it has performed millions of measurements and accelerated aging tests on SRAM PUFs to make sure they work correctly in temperatures ranging from –55˚C to 150˚C, with a voltage variation of ±20%.
Intrinsic ID has integrated the error correction, randomness extraction, security and anti-aging techniques into its products. Today, its SRAM-based PUFs are deployed in MCUs, FPGAs, sensors, data center chips and banking cards.
Complying with protocols and certifications
As customers add new features, their security expectations increase and their demands for certification and standardization become more pressing. Intrinsic ID’s hardware and software IP have been certified for the NIST Cryptographic Algorithm Validation Program (CAVP). They have also been deployed in devices certified by EMVCo, Visa, CC EAL6+, PSA, ioXt and governments worldwide.
“One of the trends that we are seeing for 2023 is the adoption of the Matter protocol,” said Vincent van der Leest, product marketing director at Intrinsic ID. Matter, formerly Project Connected Home over IP (CHIP), is an open-source interoperability standard that aims to make smart-home devices secure, reliable and seamless to use. In November 2022, the Connectivity Standards Alliance (CSA) released the Matter 1.0 standard for both hardware and software.
Van der Leest said NXP and Silicon Labs have both released Matter-compliant chipsets using Intrinsic ID’s root-of-trust technology.