This article was first published on
www.intrinsic-id.comThe RESCURE consortium, consisting of the companies Technikon and Intrinsic ID, along with the Eindhoven University of Technology (TU/e), was created to address the need for a security solution that spans the lifecycle of devices in the Internet of Things (IoT). The solution provided by the consortium resolves security vulnerabilities in this lifecycle using SRAM Physical Unclonable Function (PUF) technology in combination with state-of-the-art cryptography and security protocols.
The IoT is expanding fast, and so are risks to its security. The fact that IoT devices are deployed frequently with failing security implementations becomes clear with even a quick look at NIST’s National Vulnerability Database. This database includes instances of devices with poorly hidden or repeated secret keys, improper – or absent – authentication, and unguarded software update conduits, to name just a few security issues known to exist in devices already in the field.
The consequences of any IoT breach can be severe as IoT devices are often used in safety-critical applications, such as transportation systems, smart electricity grids, and water-supply systems. Compromising a single device, even a seemingly insignificant one, can bring down complete infrastructures, violate the privacy of millions of people, and disclose confidential data. Because IoT devices typically run autonomously across a broad range of untrusted environments, it can be very difficult to detect an attack quickly, and very costly to physically access the devices for repairs.
Protecting an IoT device is complex. It not only has to be protected in the field, but during its entire complex and far-flung lifecycle. Various phases of the lifecycle of an IoT device involve different parties with a variety of security needs. Often, there is no one party among these varied players that has any incentive, expertise, or even ability to completely take care of security.
RESCURE is a project funded by the EU and the EUREKA programme Eurostars (Grant: E11897, project duration: February 2018 - April 2020). The goal of the project, consisting of the companies Technikon and Intrinsic ID, along with the Eindhoven University of Technology (TU/e), has been to provide a flexible framework that allows IoT device security to be updated throughout the entire lifecycle of the device.
RESCURE achieves this by retrofitting security on existing IoT devices using a low-cost solution, based on SRAM PUF technology. Tiny uncontrollable variations in the manufacturing of SRAM transistors lead to SRAM start-up behavior that is unique for every individual chip. SRAM PUF technology uses SRAM start-up data as a “silicon fingerprint” for the microcontroller unit (MCU), turning this unique property of SRAM into an unclonable device identity by deriving a device root key from the silicon fingerprint. This root key is never stored on the device, but instead it is generated only when needed.
The main advantages gained from this method of key generation and storage are:
Using this technology, RESCURE has created a working prototype of its security architecture that protects an IoT device throughout its lifecycle:
In the RESCURE security architecture, an SRAM PUF is enrolled on the device in the manufacturing stage, allowing it to create device-unique keys. These include public/private keypairs for setting up secure cloud connections, as well as symmetric keys that are used for protecting all valuable data and IP on the device. These secret keys are only available at runtime and are never stored on the device, so they can never be stolen. The silicon fingerprint of each device is unique; and because the secret keys are derived from this unique fingerprint, there is no possibility of secret keys from one device being copied to another device.
After the manufactured devices are sold, typically to Service Providers (such as energy suppliers or railway operators), who place them in the field. These Service Providers handle the next phases of the IoT lifecycle:
For more information on RESCURE and its solution for securing IoT devices, have a look at our video above. Also, two papers about the project were recently accepted at scientific conferences and will be published at the ARES 2020 workshop WISI and at WISEC 2020.