A semiconductor “passport” for every device
Unique identity (UID) is the identifier typically stored on each chip and an essential part of a Hardware Root of Trust.
Today, it is important to have in place a robust identification/authentication process to verify data and the authenticity of each device’s identity. UID acts as a passport for a semiconductor as it connects with a network or another device. It serves as the chip’s primary identifier and, for example, establishes an auditable trail during its journey in the supply chain that verifies its origin at each stage.
With a UID, chips can use this internal secret as a seed for key generation or as a root key, which along with an external plaintext number, can act as a chip identification or product series number. UID can also be used to protect a device from unauthorized access or cloning through the use of authentication and authorization algorithms.
The most frequently used process to generate a UID is key injection, which has three major steps: enrollment, authentication, and provisioning. Recall that the main goals for a UID is to uniquely identify and reliably authenticate each chip, to track a chip, and to create an audit trail that establishes its origin. As such, it is vital to keep the secret UID safe. Thus, with the key injection method, an expensive security facility and a standard set of operating procedures are required to perform this process. Injected UIDs also run the risk of leaked secrets and product cloning, as the key itself does not remain entirely inside the device during the key injection process.
An Inborn UID can be derived from a PUF and is a safer alternative against identification cloning. This is because each stage (enrollment, authentication, and provisioning) is performed internally within the chip and without the need to store any secrets externally. Therefore, hardware-generated inborn UIDs eliminate the risk of exposure during the traditional key injection process. They also significantly reduce fabrication costs by eradicating the need for maintaining a secure key injection environment and an external key management system.
The below figure shows an example of how a host server uses a PUF-based UID for follow-up authentication and authorization of an external network node.