IoT Security - BK Software IP
The accelerating expansion of the Internet of Things brings with it a comparably expanding threat model. The growing number of endpoints require strong identities as the foundation of trust to establish and scale robust security. BK is a secure root key generation and management software solution for IoT security that allows device manufacturers to secure their products with an internally generated, unique identity without the need for adding a costly, security-dedicated silicon. Since BK is a software implementation of SRAM PUF, it is the only hardware entropy source option for securing IoT products that does not need to be loaded at silicon fabrication. It can be installed later in the supply chain, and even remotely retrofitted on deployed devices. This enables a never-before-possible remote “brownfield” installation of a hardware root of trust and paves the way for scaling the IoT to billions of devices.
Unclonable Identities for the IoT
To solve security problems in IoT systems, such as authentication, product lifecycle management, reverse engineering and cloning, every device needs an unclonable identity. This consists of a secret key, a public key and a certificate. The biggest challenge is to get these credentials into the device. The figure below illustrates how this can be achieved by using BK software. BK creates the secret key of the unclonable identity from within, derived using the intrinsic randomness in uninitialized SRAM. This secret key is not stored but is dynamically regenerated from the SRAM PUF.
Completing the unclonable identity requires that a public key be generated from the secret key. And this public key can be turned into a certificate by signing it at a certificate authority. At that point the device is ready to prove its identity and set up a secure channel with another device, a server or a cloud.
Security Based on SRAM PUF
At power-up, SRAM bits settle in the one or zero state in a non-deterministic way that not even the manufacturer can predict or duplicate. That’s what makes the SRAM PUF response a physical unclonable function, or PUF, which can be used as a unique “silicon fingerprint.”
By nature some of the SRAM bits are unstable, making the fingerprint unstable. Turning a noisy fingerprint into a high-quality, secure key vault requires further processing. BK software IP provides this processing, which enables BK to reliably reconstruct the same cryptographic key under all environmental circumstances.
Upon first use, called the enrollment, the BK software generates an activation code (AC) which, in combination with the SRAM startup behavior, is used to reconstruct the intrinsic PUF key on demand, in real time. This PUF key is never stored but reconstructed when needed. Reconstruction is fast, starting at 0.5M cycles for 128-bit keys.
BK software offers functions to wrap and manage secret keys and data which then can be stored in unprotected memory. All of the BK features are accessed by the host software via the API.
BK software is available in different configurations and sizes. Contact Sales[@]Intrinsic-ID.com to learn more about BK configurations that might fit in your specific application.
|BK-Pro||Device-unique key derivation, random number generation, key wrapping and management, elliptic curve-based public key crypto functions (ECDSA and ECDH), and optional public key infrastructure (PKI) elements such as certificate signing request (CSR)|
|BK-Plus||Device-unique key derivation, random number generation, application key wrapping and management|
|BK-Safe||Low footprint, device-unique key derivation and random number generation|
Low Cost, Flexible & Secure
This software-only product is easy to integrate and improves time to market. No need for additional or modified silicon. Wrapped keys can be stored securely in unprotected memory. BK works on all MCUs, CPUs and allows for brownfield deployments of hardware-based security.
SRAM PUF responses have been qualified for use with BK over a wide operating range:
- Qualified top semiconductor fabs and technology nodes ranging from 350 nm down to 5 nm
- Semiconductor processes include low power, high speed and high density
- Temperature range from -55°C to 150°C [-67°F to 300°F]
- Voltage supply variation +/- 20%
- Lifetime > 25 years
BK Software IP is delivered as a library compiled for a specific target chip, along with API specifications and user manual.
|Security strength (bits)|
|SRAM PUF (kB)|
|Code size (kB)|
|Generate device keys and random values|
|Wrap and unwrap application keys|
|Public key crypto functions (ECDSA and ECDH)*||
|Cryptogram, certificate signing request (CSR), self-signed certificates (SSC)||
*Includes ECDSA Sign and Verify, ECDH Shared Secret, elliptic-curve support set: P192, P224, P256, P384, P521
SRAM PUF Benefits
- Use standard SRAM
- Unclonable and immutable
- Device-unique high-quality keys
- No secrets when power is off
- No root key programming
- Flexible and scalable
- Secure Key Storage
- Flexible Key Provisioning
- HW-SW Binding
- Supply Chain Protection
- EMVCo, Visa, CC EAL6+
- U.S. and EU Governments
- Automotive SPICE Level 1
- BK-Safe compatible w/China’s OSCCA standard