Three Approaches to IoT Security: Part One

There is no single path to securing mobile devices and networks. This three-part series of articles will explore a trio of different security approaches that companies deploying Internet of Things technologies might consider as they develop IoT products and services.
Published: July 29, 2015

(Read Part Two.)
(Read Part Three.)

For all the talk about the importance of securing the Internet of Things, discussions often lack in specifics. But in recent weeks, IOT Journal has talked with three organizations that are developing different approaches to data security and privacy in the IoT. Today’s article focuses on a new approach that was developed at Sandia National Laboratories, which is now seeking technology partners to help commercialize the approach in a way that could have broad IoT applications.

When Peter Choi, a principal member of Sandia National Laboratories’ technical staff, began working on technological approaches that international agencies could use to ensure compliance with nuclear nonproliferation treaties, he never thought he would develop something that could also be utilized to improve the security of the Internet of Things, including smart cards and other radio frequency identification (RFID) devices.

Peter Choi

“Countries that deal with nuclear resources sign treaties saying, ‘We’re only using this for energy, not weapons,'” Choi explains. To help monitor the actions of these nations, the international community “has a pretty serious need for sensor devices that can be placed in other countries.”

Most current approaches rely on RFID tags, Choi says, which are susceptible to tampering by those who could modify the information or change the tags’ unique identifiers to conceal actions in violation of treaties. When looking for alternate technologies, Choi and his staff studied an approach to encryption called the physically unclonable function (PUF).

PUF can be implemented in multiple ways, but all approaches exploit very small variances (often measured in nanoscale) in chip manufacturing. For example, chipmakers use millions of transistors, and a very highly controlled process with the goal of producing integrated circuits so that each one is exactly alike the others. “But when you’re soldering in these very small transistors, there is no manufacturing process that can control the amount of metal applied to the chip at the molecular level,” Choi explains. “So there are nanoscale variants in producing the IC that gives rise to a very unique signature for each circuit.” As a result, he says, every IC has a unique fingerprint.

But using PUF to authenticate devices has some drawbacks. For example, ambient temperature and a device’s age can impact the signal propagation enough to result in changes to the PUF fingerprint. So after further study, Choi and his team created an approach that they called the physically unclonable digital ID (PUDID). This is based on PUF, but uses fingerprinting at the macro instead of nanoscale. At the macroscale, a hacker might have the capability to reproduce the fingerprint, but that fingerprint would be so complex that it would be extremely onerous to hack.

“Take, for example, an optical lens,” Choi says. “You make it and then sandblast it. The sandblasting process is very chaotic, and it’s almost impossible to produce two lenses with same pattern of scratches.” With the PUDID approach, the sandblasted lens could be used to capture an image—of, say, a set of characters in a particular font and with specific spacing.

The party that issues the secure device possesses both a clear image of the characters and the obscured image, and creates an algorithm to descramble the latter version. This algorithm serves as the key for an authorized party to unscramble the image that is obscured (by the sandblasted lens) and to unlock the character set.

A sketch of the quasi-physically unclonable digital ID (Q-PUDID) concept, courtesy of Peter Choi

The issuing party has access to both scrambled and unscrambled versions of the image. An authorized party receives the scrambled version and can use the algorithm to unscramble it, so it works like an algorithm that decrypts any hashed data. Therefore, the encryption is digital but the way in which it is produced is physical (the special lens). The descramblers are designed to be inexpensive to produce and distribute to authorized parties.

Choi’s team continued to investigate how PUDID might be deployed in a real-world setting and ended up developing a variant of the solution that it calls quasi-physically unclonable digital ID (Q-PUDID). With Q-PUDID, Choi says, “We are actually keeping the features of PUF that we want and eliminating the negative features of PUF, such as the fact that the manufacturer needs to come up with a unique ID and hand it over to whoever is purchasing the PUF devices. Q-PUDID eliminates that by creating and coupling the ID out in the field, when the end user wants to use it, and then that unique ID is coupled with human input, such as a PIN or biometric data.”

Instead of a PUF generator, Q-PUDID uses a mixture of tamper resistant hardware and hash functions to generate dynamic authentication code. To illustrate its commercial applicability, Choi describes how banks could employ Q-PUDID to make credit-card transactions more secure.

“You walk into a bank and say ‘I want an account with $1 million transaction capabilities.’ The banker asks for your birth certificate or other documents and says, ‘Okay, come here to this kiosk and sign your name,'” Choi explains. The digital sign pad captures each pixel’s x-y coordinates and the exact time at which each is populated as you sign your name. It also tracks the pressure exerted on the pad. That information—which is unique to that signing event, since it could never be repeated in exactly the same manner, populating the same pixels at the same pressure and time—is securely transmitted to the Q-PUDID devices (e.g., your Q-PUDID bankcard and the bank’s Q-PUDID hardware). The bank then puts that information through a hash function to encrypt it and securely stores the encrypted data.

If a smartphone were to be made with an embedded Q-PUDID chip, the bank, or any identity-verifying entity, could also encode that unique, encrypted data onto her phone. When a consumer makes a purchase using her phone at a retailer, the encrypted signature collected when she opened her account, along with dynamic information—such as the store location, as well as the time and date of purchase—are combined, and all of this data is put through the Q-PUDID processor where it is encrypted again with a hash function. The result is a short, unique set of dynamic characters that the bank can regenerate and compare with the purchaser’s phone-generated code using bank’s Q-PUDID processor.

“With Q-PUDID,” Choi states, “we are capturing a physical event that can’t be replicated, and then coupling a device to the human being. This dynamic authentication is the key to Q-PUDID.”

Using Q-PUDID, a company could add a new level of security to smart home devices, which Choi argues are currently highly susceptible to hackers because they rely on a number that a hacker could access, such as a MAC address or another serial number. “They can hack into your toaster and burn down the house,” he quips. But using Q-PUDID, the manufacturer or retailer could capture the buyer’s signature (in three dimensions, as described above) and encode that to the Q-PUDID chip inside the device.

“With our solution, say that I purchase a home security system with five different cameras,” Choi says. “When I purchase the cameras, the unique signature associated with my phone is saved to a chip inside each camera. Now by using our Q-PUDID communication protocol, cameras will only listen to commands coming from my Q-PUDID phone and no other phone or computer.”

In another example, Q-PUDID is used to authenticate a user to her smartwatch, based on her biometrics. The user would put the watch on her wrist, and it would continuously collect her physiological data. “As long as my Q-PUDID SmartWatch knows it is attached to me, it can securely communicate my ID to my Q-PUDID phone and I can be assured that my ID is completely ‘hack-proofed’ since my physical ID is never exposed in the communication link between the two devices.,” Choi says.

Based on Choi’s research and the Q-PUDID concept, Sandia National Laboratories posted a solicitation to the Federal Business Opportunities register on June 26, seeking commercial partners to help it “bring active authentication technologies developed by Sandia to market readiness and deploy.”

“We’ve had a good response,” Choi remarked during an interview in early July. “We’ve heard from mobile industry players and big defense contracting companies, as well as from a PUF-related startup. Before the September 26 [2015] deadline, I’m hoping to get more responses from hardware security module companies.”

(Read Part Two.)