PUF – Breathing New Life into Smartcard Security

Last week I picked up on the news from NXP about its on-going efforts in strengthening the security of chips used in smartcards and related embedded authentication technology. The thrust of the announcement was to highlight how integrating PUF (physically unclonable function) technology from Intrinsic-ID into its already highly secure SmartMX2 chips, further safeguards users from data or monetary theft.

Recognizing that this is both an intriguing but also highly complex subject, I promised to provide you with more insight into what it is all about and how it works. So, having read more about this and aiming to cut through any marketing puffery (but not the puns), here is my digest:

The starting point for understanding the advance brought about by PUF is recognizing the vulnerability in traditional hardware security systems that use a cryptographic key hidden in the device itself. While these solutions use a variety of hardware, software and other encryption measures to protect this key from discovery, ultimately the hardware is only as secure as the secret key protecting it.

In the past, only fairly limited techniques were available to anyone with malicious intent, wanting to discover a chip’s security key. You could passively analyze the device’s behavior by probing its electrical connections or monitoring any radiated RF signals. Or a slightly more invasive approach might be to induce faults in the chip, with a voltage glitch or by applying laser light, in the hope of gaining access to its memory contents.

The problem, in recent times, is that even more invasive techniques, using sophisticated equipment such as scanning electron microscopes (SEM) and focused ion beams (FIB), once the province of well-funded industrial, academic and government R&D departments, are now widely accessible. These tools make it easier to find the secret keys and either break the hardware security or reverse-engineer the devices to gain access the data or funds they protect.

As I discovered last week, PUF is also a cryptographic technology but the difference is that, unlike most current security devices, it does not store the encryption key. Instead it relies on an unique information of the device and some piece of data which even can be public. The encryption key is shortly generated for oparation.

After the operation is completed the key information is removed from all internal registers, leaving nothing for the attacker to find.

‘What is this unique information?’ I hear you asking. Well, essentially it comes from micro- or nano-scale physical structures within the integrated circuit that are inherent or intrinsic characteristics of all deep-submicron manufacturing processes. These are the PUFs, akin to an electronic fingerprint, that identify each manufactured chip as a unique object and which can therefore be used to generate a unique encryption key.

So that’s the secret of this technology that leaves counterfeiters out of breath (PUF) and struggling to keep up.