Authentication technology provides access control for systems by checking whether a user's credentials match the credentials in a database of authorized users or in a data authentication server. The security level of this authentication method depends greatly on protection and protocol design.
PUFauth provides an integrated PUF-based hardware solution including protocol design, key protection and session-key generation.
Symmetric authentication with robust protection of shared secret and high-quality nonce: PUFauth
One of the most commonly used authentications for chips is challenge-response authentication. An example is described below. In the beginning, a two-way authentication scheme has a shared key on both sides. An authentication raised by a host usually transmits a nonce as a challenge. After the client side receives this nonce, it will encrypt the nonce and send it back to the host as a response. The host will also encrypt a nonce by itself. Lastly, once a host receives an encrypted nonce sent by a client, it will check whether the encrypted nonces are the same to verify a client’s identity.
Using a one-time nonce can ensure that every challenge-response sequence is unique. Such encrypted or hashed exchanges do not directly reveal data or shared secrets to an eavesdropper. Moreover, a randomly generated nonce on each exchange guards against replay attacks, where attackers simply record the exchanged data and retransmit it later as another authentication. Such an attack may supply enough information to let an eavesdropper deduce what the shared key is by using a dictionary attack or brute-force attack.
Secure authentication relies on the robustness of shared key protection and protocol design. PUFauth integrates both PUFkeyst and PUFtrng to enhance the strength of shared key protection and higher quality nonce generated by PUFtrng. Moreover, for two-chip authentication scenarios, if the chip is enabled with Elliptic Curve Cryptography (ECC), PUFauth can use ECC to generate shared keys from PUFuid by a Diffie-Hellman key exchange. This can add another layer of protection and eliminate key-management issues.
PUFauth easily enhances the security of authentication without changing an existing design. PUFkeyst provides secure storage for shared keys without the use of crypto algorithms. Moreover, this approach significantly accelerates the authentication process. PUFtrng can provide higher quality nonce that cannot be predicted.
The U.S. government's National Information Assurance Glossary defines strong authentication as a layered authentication approach relying on two or more authenticators to establish the identity of an originator or receiver of information. PUFauth works with a customer’s elliptic curve cryptography (ECC) to provide “strong authentication”. PUFuid works as another authentication factor. Diffie-Hellman key exchange provides an exchange key method over an unsecure channel to generate a shared secret. Moreover, combined with PUFtrng, PUFuid can also generate nonce-based data as another authentication factor directly derived from an inborn value.
Integrated PUF-based hardware solution including protocol design, shared key protection and session key generation.
Customized symmetric and asymmetric authentication protocol design.
Short initialization time for nonce generation.
PUFuid as the shared secret and key injection compliance.