SRAM PUF. Implementation of unique IDs based on the “digital fingerprint” of microcircuits

In the last article, it was mentioned that modern manufacturers of IoT devices implement the PKI system directly at the factory. That is, right on the conveyor. Each device receives a unique ID and certificate that identifies and authenticates that particular device throughout its lifecycle.

How does this happen, in a nutshell?


Consider the situation for
Carnegie Technologies example. This system integrator is implementing the Longview platform to manage LoRaWAN devices for customers in various industries: construction, oil and gas, real estate developers, smart cities, and more. Carnegie places production orders with the company EMSwhich specializes in the manufacture of sensors and gateways.

The Longview security system includes three levels:

  1. Native 128-bit LoRaWAN encryption
  2. SRAM PUF (Physical Unclonable Function) – generating a key and unique device identifiers. Used system Intrinsic ID. Due to the smallest anomalies in the production of microcircuits, each chip is physically slightly different from the others. This allows the PUF system to use a “physical RNG” and some sort of digital fingerprint to uniquely identify each sensor.

    No special hardware devices are required for PUF to work. All functions for creating a key store or obtaining multiple keys can be implemented as hardware integrated circuits or in software. The only hardware required is the unique physical structure of the PUF itself. Thus, on any device where PUF algorithms have access to (uninitialized) SRAM memory, a SRAM PUF system can be implemented. This distinguishes SRAM PUF from other methods of generating unique hardware IDs.

    By opinion some embedded systems experts, this is the only currently existing type of PUF that can be implemented in hardware by simply downloading software to the device.

  3. CA for signing certificates

Certifications are needed to protect devices throughout their entire life cycle, from manufacturing and deployment, to long-term operation and competent replacement at the end of the term.

For this particular client, GlobalSign installed a Longview Private CA that issues an IDevID certificate (also called “birth certificates”) for each gateway manufactured by EMS.

During the deployment phase of gateways, Local Device Identity (LDevID) certificates are also issued, which are subsequently updated if necessary.



Longview and platform integration IoT Identity Platform

As shown in the diagram, the private CA is integrated into the IoT Edge Enroll platform while using AWS resources.

As we told in

last article

IoT Identity supports a range of operations throughout the lifecycle of devices, including certificate and key management, token issuance, and secure code signing.

If the platform is installed directly at the device manufacturer, then the IoT Identity system is also implemented directly from the assembly line.

The schema might look like this:

  1. Production CA

    This certification authority (CA or CA, as in the diagram) signs the keys on the endpoints. The server generates unique endpoint public/private key pairs and sends batches of CSR signing requests. Signed endpoint certificates are returned from the CA and distributed to all production sites.

  2. Firmware signing CA

    This CA creates a firmware signing certificate. This is another element in the hierarchy of trust, but located in a secure cloud and accessed very rarely and only by authorized persons.

  3. Code Verification CA

    This CA issues certificates for individual devices that potentially interact with millions of endpoints. A unique key pair is generated for each device, the public key is sent to the CA for signing, and certificates are dynamically distributed to endpoints to verify signed critical commands (for example, proprietary network interfaces of the manufacturer may be used).

IoT Edge Enroll is a first-of-its-kind Device Registration Authority as a Service (RaaS) for identifying and authenticating certificate applicants.

Edge Enroll speeds up the installation and operation of RA using a number of pre-designed workflows. These are policy templates, certificate profiles, and standard registration methods that are suitable for typical IoT use cases, while still leaving room for additional customization. For unique use cases, PKI specialists offer professional RA configuration services with modular plugins.

Connecting enrollment servers through the EST API speeds up integration.

Functions

  • Device Lifecycle Manager: policy manager, users, CA accounts, register of identifiers, audit. The Device Lifecycle Manager allows authorized administrators to view enrolled or whitelisted devices and their status through device storage. It gives you access to a certificate store to manage certificate expiration, renewal, whitelisting, and re-registrations. Administrators can even view a history of when and how the device was enrolled and managed.
  • Direct integration with GlobalSign CA for obtaining certificates in production: key generation, policy enforcement, enrollment servers, CSR generation, certificate templates, preconfigured workflows

Who uses Edge Enroll:

  • Device manufacturers and operators: to generate device IDs and digital certificates, to reduce the operating costs of device registration, and to simplify the entire system for registering and managing devices
  • Chip manufacturers: For them, ID-embedded smart chips create a competitive advantage to secure the supply chain from top to bottom
  • IoT system developers and organizations that want to manage unique device IDs throughout their lifecycle

Recently, the analytical company ABI Research published

independent analysis of IoT Identity platforms

.

The rating is based on the most relevant aspects of IoT implementation, including security, identity management, network deployment, partner ecosystem size, and intelligent automated services.

The report includes eight certification centers (CAs). The companies were divided into three groups:

  • Market leaders: Device Authority, Entrust, Digicert, GlobalSign
  • main stream: HID Global, Sectigo
  • Followers: WISeKey, Nexus

The authors of the report note that market leaders offer not only a standard ecosystem, but also specific services focused on specific IoT applications. There are additional options for digital certificates (except X.509), non-standard methods of management, taking into account bandwidth restrictions and specific connection requirements. As a result, users get the opportunity to customize their own IoT Identity system.

As you can see, IoT Identity systems are in demand by chip manufacturers, device vendors, and system integrators. Device Registration Authority as a Service (RaaS) is fairly affordable and easy to manage.

Similar Posts

Leave a Reply