Paper: Restricted Authentication and Encryption for Cyber-physical Systems
Authors: 1. Michael Kirkpatrick
Department of Computer Science
2. Elisa Bertino
3. Frederick T. Sheldon
Cyberspace Sciences & Information Intelligence Research
Oak Ridge national Laboratory
Problem : One among the problems that CPS face is the data integrity. In CPS, we cannot guarantee whether the origin of the data is kept intact and the data is tamper free. CPS also requires proper access control. Traditional approaches to authentication and access control are identity based. For example, a user making an access request needs to give lot of credentials that is a proof of their identity. However, this is insufficient when we consider critical systems such as CPS. CPS might need multi-factor authentication i.e, authentication that not only depends on identity of the person but also other authentication factors such as hardware based authentication methods. We might also require lightweight schemes that is required for binding access request to the hardware.
Solution : This paper focuses on a hardware based technique for CPS – PUF
PUF – Physically unclonable functions that quantifies the variations to produce a value that is unique for each hardware. The key properties of PUF are:
1) Executing PUF on different physical instances of the same hardware produce different results
2) Repeatedly using PUF on a single piece of hardware produce same result
Novelty: The common use of PUF is in securing the strength of the cryptographic keys.
Consider an example:
Private key k is installed in a PUF enabled hardware. The PUF is evaluated to produce a machine specific value ‘m’. m and k are xor’ed and the result x= k ⊕ m is stored locally. At run-time, the private key k is reconstructed by combining the stored value with the machine-specific value, i.e., k = x ⊕ m.
If attacker gains access and transfers x to another machine, the value of m is changed. Hence the resultant k value is also different.
Once, the hardware instance is identified, then CPS can enforce more access constraints. For example, if the location of the hardware is known, spatial constraints can be applied.
Analysis: Through PUF, CPS can provide advanced forms of encryption.
The output of PUF can be used as a unique identifier. This restricts the access control of the system. PUF can also be used to create cryptographic keys and it is unique for each device. However, the value for one piece of hardware remains the same irrespective of the number of times PUF is implemented.
Some of the challenges associated with this method:
There is a limited availability of technology. We might need to create new PUF for devices that are based on technology and for which PUF implementation doesn’t exist. Another challenge is protection of key at the run time. If the value of m is leaked then the authentication can be forged. There is also a need to find protocols for complex operations such as modular exponentiation and elliptical curve calculations.