A Robust, Low-Cost and Secure Authentication Scheme for IoT Applications ^†

Abstract

The edge devices connected to the Internet of Things (IoT) infrastructures are increasingly susceptible to piracy. These pirated edge devices pose a serious threat to security, as an adversary can get access to the private network through these non-authentic devices. It is necessary to authenticate an edge device over an unsecured channel to safeguard the network from being infiltrated through these fake devices. The implementation of security features demands extensive computational power and a large hardware/software overhead, both of which are difficult to satisfy because of inherent resource limitation in the IoT edge devices. This paper presents a low-cost authentication protocol for IoT edge devices that exploits power-up states of built-in SRAM for device fingerprint generations. Unclonable ID generated from the on-chip SRAM could be unreliable, and to circumvent this issue, we propose a novel ID matching scheme that alleviates the need for enhancing the reliability of the IDs generated from on-chip SRAMs. Security and different attack analysis show that the probability of impersonating an edge device by an adversary is insignificant. The protocol is implemented using a commercial microcontroller, which requires a small code overhead. However, no modification of device hardware is necessary.

1. Introduction

The recent growth in Internet of Things (IoT) infrastructure has created an enormous potential for semiconductor design and manufacturing primarily to improve performance and enhance security. Billions of low-cost devices are connected to the Internet to provide seamless integration of computing systems to the physical world. These devices are commonly known as "things" or edge devices (EDs). The number of these connected devices has grown significantly and will continue growing at an astonishing rate in the near future [1,2,3]. As these devices are deployed in large geographic areas with limited energy resources and reachability, the power requirement becomes a significant issue for proper operations, which ultimately limits the usage of standard cryptographic schemes for secure operations [4]. Moreover, the cost of these devices requires them to have a low die area, which restricts the use of costly cryptographic primitives in the design. As a result, a majority of the EDs do not use computation and resource-heavy cryptographic schemes. HP mentioned in a report that 70% of the tested IoT devices communicate without encryption [5].

The use of cryptographic primitives does not necessarily ensure the authenticity of an ED, as the majority of them are manufactured offshore with limited trust and lack of government or other appropriate oversight. Moreover, as these devices travel through many distributors located across the globe, it is very difficult to determine their origin and the complete route in the supply chain. Many untrustworthy third party suppliers and distributors can introduce compromised devices, which look and function exactly like the authentic ones. It is thus extremely difficult to ensure the authenticity of these resource constraints and low-cost edge devices. Numerous incidents, which include the presence of cloned systems in the US defense supply chain, indicate that inauthentic hardware entered into the electronics supply chain [6,7,8,9,10,11,12,13,14,15,16]. Figure 1 presents the simplified view of an Internet of Things infrastructure, where the EDs are connected to the Internet through gateways. In our threat model, we treat the gateways as trusted, as one can implement security measures using traditional cryptographic primitives. However, as the edge devices are limited in resources, it is extremely difficult to ensure their authenticity, as an ED can easily be cloned or counterfeited. Note that the hardware attacks can be initiated at the place, where the system is located. For example, an untrustworthy employee in an organization can practically replace an authentic device with its cloned counterpart to gain access to a secure system. In addition, a trusted user can unknowingly add a counterfeit device to the IoT infrastructure, since it is fairly impossible to track their origin if they are acquired from an untrustworthy distributor. Note that various software attacks, such as denial of service (DoS), phishing, and data spoofing, can be performed through untrustworthy hardware [17,18]. As the objective of this paper is to address the hardware attacks, we design our proposed solution to ensure the authenticity of EDs.

1.1. Motivation

A recent study suggests that the IoT nodes are severely resource-constrained and they are not well equipped with standard cryptographic protocols [4,5,19]. It is essential for a user to authenticate an ED with very high confidence, as it may be cloned or tampered, and may have a secret backdoor, which can be exploited by an adversary. Traditionally, digital signatures [20] are widely used for end-point authentication, which generally uses Rivest–Shamir–Adleman (RSA) [21] or elliptic-curve cryptography (ECC) [22] crypto primitives. Implementing these primitives in EDs is too expensive due to severe resource constraints. A typical ED consists of an 8MHz microcontroller (MCU), a small (e.g., 128KB) flash memory, and a small (e.g., 10KB) RAM [23]. Software implantation may be preferred in case of hardware limitations; however, these crypto primitives are usually intensive in computation that may not be affordable for EDs as well.

The authentication of integrated circuits (ICs) can be performed using the use of physically unclonable functions (PUFs), as they can generate unique and unclonable bits for creating a unique identifier (ID). Uncontrollable and unpredictable manufacturing process variations are utilized in PUFs to generate random and unclonable bits. Over the years, researchers proposed different PUF architectures and they are the arbiter PUF [24], ring oscillator (RO) PUF [25], SRAM PUF [26], and a few others [27,28,29]. Every authentication can be unique if a unique challenge-response pair (CRP) is used for every communication between the EDs and the gateway. To authenticate an IoT device over an unsecured channel using PUF as an ID generation unit, it is essential to have a strong PUF, with a very large number of CRPs. However, a large number of CRPs management and storage can be another intricate problem to manage for billions of connected devices. In addition, a strong PUF requires hardware modification for EDs, which might not be feasible. Instead, we can exploit built-in SRAM and use software support to generate the ID.

Typically EDs have on-chip SRAM that can be used to design a PUF, which would offer a cost-effective solution to produce an unclonable device ID. However, there are several challenges to using SRAM-PUF to create device IDs. The bits generated from an SRAM may be unstable and create different IDs for the same device. Error correction codes needs to be used to increase the reliability of the SRAM-PUF response. However, error correction codes usually consume larger memory space, which may not be available in these resource-constraint EDs. It is, thus, required to design a low-cost authentication scheme to uniquely identify EDs over an unsecured channel.

1.2. Contributions

We present a lightweight authentication protocol that verifies the authenticity of a resource constraint edge device. The communication protocol is low-cost, as it uses the resources available in an ED, such as a processor and an on-chip SRAM memory. In addition, we have further developed a robust repeated ID matching scheme to authenticate an ED, where the ID is created from an on-chip SRAM memory. Our scheme is superior over the simple ID matching scheme, as SRAM PUFs are often found to be unreliable. The contributions of our paper are as follows. We:

• Developed a low-cost and secure communication protocol: We propose a novel lightweight communication protocol that utilizes existing hardware resources of an edge device. A secure hash function [30] is used in our proposed protocol and it is implemented using an embedded processor and on-chip memory of an ED [31,32]. It is necessary to make sure that the unencrypted device ID does not leave the system. We show that the protocol is at least as secure as a hash function. We provide the security proof of our protocol in Section 5.3. In addition, the heuristic security evaluation shows that our proposed protocol is resistant to various known attacks.
• Proposed repeated authentication for device identity verification: We propose a novel repeated ID matching technique (see details in Section 4) to address the reliability issues arisen from an SRAM PUF. Our proposed solution does not require expensive helper data and algorithms for error correction, and thus can be lightweight. If a noisy SRAM PUF is used in the ED, an adversary might get lucky to pass the authentication once. However, it is highly unlikely that he/she will pass the authentication a second time and successfully register a fake device using random guesses unless the communication protocol described in Section 3.1 is broken. The unreliable bits from the SRAM PUFs can be identified in the proposed repeated ID matching scheme and will be excluded during the ID matching process. We demonstrate that it is highly unlikely for an adversary to impersonate an ED (see the details in Section 1). An adversary can pass the simple ID matching scheme by random trial (see Section 4.1) if the PUF responses are noisy. However, an adversary cannot impersonate an edge device two times with random guesses. Note that one can also implement an authentication scheme that verifies an ED more than two times to further increase the difficulty of impersonating an authentic device.
• Implemented the proposed protocol in low-cost devices: We have implemented this proposed protocol using Raspberry Pi as a gateway and Arduino as the edge devices. The EDs go through a registration process (see Algorithm 1), where the device signature is generated from the power-up states of the on-chip SRAM. We implemented the proposed protocol without any hardware modifications. The IDs generated from the Arduino EDs show good uniqueness properties (see the Hamming distance’s analysis in Section 6.4).

The rest of the paper is organized as follows. Section 2 briefly surveys the literature. Section 3 describes our proposed lightweight communication protocol to verify the identity of an ED. We present the ID matching scheme by repeated authentication in Section 4. The security evaluation is performed in Section 5. The implementation detail is described in Section 6. Finally, the paper is concluded in Section 7.

2. Prior Work

Over the years, researchers have proposed several PUF-based authentication protocols for resource constraint applications. Most of these protocols consists of a prover node, and a verifier. The prover is a node (e.g., sensors), which responds to the verifier’s (e.g., routers) query to confirm that it is an authorized node in the IoT system. To perform a verification, a random challenge is sent to the prover by a verifier, and the prover acknowledges by sending a valid response in return. The authors in [33] combined a delay PUF-based authentication protocol with an HB-based protocol (named after the authors) [34] to remove security vulnerabilities of these individual protocols. Later in their work, they proposed a protocol that reduces power and area overhead by using 2-level noisy PUF instead of using area and power-intensive cryptographic modules, such as hash functions [35]. Katzenbeisser et al. proposed a logically re-configurable PUF [36], which can be used to reduce excessive area requirement [37]. The above protocols use a CRP only once in order to prevent the replay attack.

Management and storage of CRPs at the verifier’s end are pressing issues when it comes to millions of devices connected to the Internet. An adversary, listening to the communication among prover and verifier nodes, can model a PUF mathematically and predict the responses. Rührmair et al. presented a modeling attack for several PUF models including arbiter PUFs and ring oscillator PUFs [38]. To eliminate these issues, the converse PUF-based authentication protocol has been proposed in [39], where the verifier is considered a resource-constrained device, and the prover is considered a resource-rich server. A hardware and software co-verification based lightweight IoT authentication scheme is presented in [40]. The authors applied the hash of firmware along with PUF response to detect software and hardware impersonation attacks. Chatterjee et al. proposed an authentication scheme that combines the concepts of PUF, identity-based encryption (IBE), and keyed hash function to eliminate the need for explicitly storing CRPs [41]. Braeken et al. [42] proved that this protocol is vulnerable to the man-in-the-middle (MITM) attack, impersonation, and replay attacks [43].

A preshared key based host identity protocol is proposed in [44] to authenticate an IoT edge node. The primary shortcoming of the method is that adversary might gain access to the network if the shared key gets compromised. Kothmayr et al. proposed a two-way authentication protocol, entitled datagram transport layer security (DTLS) based on the X.509 certificate [45]. Porambage et al. proposed an implicit certificate-based two-phase authentication protocol [46]. Since the certificates are more lightweight than the protocol proposed in [45], distributed IoT applications are supported by this protocol. This implicit certificate-based protocol is suitable for highly resource-constrained devices. However, the protocol is vulnerable to replay attack, DoS attack, and man-in-the-middle (MITM) attack [47]. To mitigate these vulnerabilities, Turkanović et al. presented a four-step authentication model, which is suitable for the scenario where a remote user negotiates a session key with a sensor node without connecting to the gateway [48]. Challa et al. proposed a signature-based user authenticated key agreement scheme using Elgamal and ECC-based signature for IoT device authentication [47]. Although this protocol is advantageous in comparison to [46,48], it is computationally intensive. Hash function-based and chaos-based privacy-preserving schemes for IoT in a smart home system have been proposed in [49]. The authors used symmetric cryptosystem (e.g., Message Authentication Code or MAC) for both schemes. The heuristic suggests that the protocols are secure. Formal security analysis and verification would strengthen the contribution of the proposed method. Wazid et al. proposed three-factor—smart card, password, and personal biometrics—remote user authentication for a hierarchical IoT network called the user authenticated key management protocol [50].

The majority of these protocols use a strong-PUF that requires hardware modification which ultimately imposes a strain on the resource limitation of EDs. Mass production and remote deployment are among the primary features of IoT devices. Adding extra hardware could be very expensive in terms of run-time power consumption and production cost. Therefore, a better approach would be to utilize existing hardware to implement security features that would be secure but lightweight.

3. Proposed Authentication Scheme

One of the major constraints in implementing standard authentication protocol is limited resources available in an ED. It is essential for an ED to have a low die area, smaller memory, and lower power consumption which, in effect, limit the performance. These constraints ultimately prohibit EDs from using standard secure protocols such as TLS and IPsec [4]. Less stress was given on security during the development of IoT edge devices considering that the generated or transmitted data would have little value to the attackers. It has been proven otherwise because this seemingly trivial information can be exploited to break into complex systems [51,52]. Authentication of an ED in an IoT network could help avoid the potential threat posed by counterfeit or cloned devices. In this section, we propose an authentication technique for an ED by correctly identifying its origin. To prevent various run attacks, the device needs to encrypt its data. However, advanced encryption methods are only feasible for gateways, since they have higher resources. Our proposed scheme does not address authentication of the gateways and treats them as authentic.

3.1. Proposed Communication Protocol

Figure 2 shows our proposed authentication approach. A true random number generator (TRNG) is necessary for the gateway device for random nonce (n) generation. We propose to use a cryptographically secure pseudo-random number generator (CSPRNG) such as [53] or [54] considering area efficiency in its implementation. A one-time-pad (OTP) [55,56] is employed to encrypt the key with n. Note that OTP is area efficient, as it only requires a simple XOR array. To authenticate the $l^{th}$ ED in the network, we employed a pair of keys, $\{K_l,I{D}_l\}$. $K_l$ is stored in an on-chip memory of an ED, and it is shared with the gateway. $I{D}_l$ is a unique device signature that can be generated from an SRAM PUF (see Section 4 for details).

The proposed communication protocol for authenticating an ED is described in the following steps:

• The gateway receives the secret device key-ID pair {$K_l$,$I{D}_l$} from the trusted system integrator (SI) using an existing secure communication protocol (e.g., TLS [58]). Here, SI is an entity that produced ED. During production, every device needs to be registered in a secure database with a public ID, and a key-ID pair, $\{I{D}_l\in {\{0,1\}}^N,K_l\in {\{0,1\}}^N\}$. Here, N is the length of the $I{D}_l$ and $K_l$. Depending on the level of security one requires, N could vary. We analyzed the protocol for both $N=128$ and $N=256$, and implementation is only demonstrated for a 256 bit ID. The public ID is needed to locate the ED in the database. A tamper-proof memory in a gateway can also be used to store this data rather than transferring them from another database. However, since the gateway is always connected to the Internet, standard security measures can be implemented, as it typically does not have any resource limitations. However, it is recommended to receive the key-ID pair from the trusted integrator rather than store it into the gateway itself.
• The gateway stores $\{K_l,I{D}_l\}$ in its on-chip (volatile or non-volatile) memory, but no information can be extracted through the input and output of the gateway. This will prevent an adversary from getting access to the $\{K_l,I{D}_l\}$, which was generated during the registration phase of the ED.
• An on-chip CSPRNG generates a unique nonce ($n_i$), which is stored in the memory of the gateway. This $n_i$ will be used later for decrypting the secret device ID. A one-time pad (OTP) now encrypts the key ($K_l$) with this random nonce. The gateway then sends this encrypted key (depicted as ($m_i$) in the figure) to the $l^{th}$ ED, $E{D}_l$, to request for its identification.

  $$m_i=n_i\oplus K_l$$

  (1)
• The nonce ($n_i$) is retrieved at the ED by XORing the $m_i$ with the shared secret key ($K_l$). A secure hash (e.g., SHA-2 or SHA-3 [30]) is computed on this nonce ($n_i$) to produce a 256/512 bit hash output ($H_i$). Existing hardware resources such as embedded processor and memory [31,32] of the EDs are sufficient to compute this hash.

  $$H_i=hash\left(n_i\right)$$

  (2)
• The device ID ($I{D}_l$) is created from the on-chip SRAM (extensive desription and analysis of SRAM PUF can be found in [59,60,61,62,63]) of the ED. Now, the ED encrypts $I{D}_l$ using N bits of computed H. The encrypted ID $\left\{r_i\right\}$ is sent to the gateway for authentication.

  $$r_i=I{D}_l\oplus H_i$$

  (3)
• The gateway computes the same hash (SHA-2 or SHA-3) using the $n_i$ after receiving $r_i$. By this, the secret device ID is reconstructed in the gateway.

  $$\begin{array}{cc}\hfill r_i& \oplus H_i=I{D}_l\oplus H_i\oplus H_i=I{D}_l\hfill \end{array}$$

  (4)
• This reconstructed ID is then verified with the stored ID (see Section 4 for details). Steps 3-6 are repeated for the second stage of the authentication to increase the confidence of an authentic ED.

3.2. Security Proof

A protocol preserves the secrecy if an adversary cannot determine secret data, e.g., key, with absolute certainty just by interacting with the protocol. Therefore, the protocol analysis primarily tries to determine a protocol trace that would compromise the secrecy of the system [64]. In this section, we will provide detailed proof for our proposed protocol.

The proposed protocol employs a symmetric key encryption system. First, the gateway sends a nonce encrypted using a shared key to an ED, K. Then, the ED uses the same shared key to recover the nonce to transfer the $ID$ to the gateway for authentication. Key freshness is ensured, since the nonce is transformed through a secure hash function before it is used again to encrypt the $ID$.

Let us assume that a probabilistic polynomial time adversary $adv$ performs an authentication experiment $Aut{h}_{adv,\pi }(n,H_{adv},m_i,r_i,r_j)$ and tries to find a difference between a random data and private information; e.g., key K of the protocol $\pi$. The adversary $adv$ has the following information:

• The hash function $H_{adv}$ with the security parameter N, which is the length of shared key K.
• He/she can eavesdrop and collect message contents $m_i$, $r_i$, and $r_j$.

To prove that the protocol is secured, we need to show that the probability of success in the $Aut{h}_{adv,\pi }$ experiment is negligible. In other words, there exists a function $negl(.)$ for every probabilistic polynomial time adversary such that:

$$Pr[Aut{h}_{adv,\pi }=1]\le negl\left(N\right)$$

(5)

Definition 1.

For a secure hash function H, it is computationally infeasible to calculate the two input messages $x_1$ and $x_2$ ($x_1\ne x_2$) such that $H\left(x_1\right)=H\left(x_2\right)$. This property of hash function is commonly denoted as collision resistance [65].

Definition 2.

Given an N-bit output of a secure hash function H is z, it is computationally infeasible to calculate the input message x such that $H\left(x\right)=z$. This property of hash function is commonly denoted as preimage resistance [65].

Theorem 1.

The protocol π is secured from a polynomial time adversary such that it is not feasible to disintegrate $H\left(a_i\right)\oplus H\left(a_j\right)$ into $H\left(a_i\right)$ and $H\left(a_j\right)$. Here, $a_{i,j}$ is any variable of length N and $a_i\ne a_j$.

Proof. 

Let us assume an adversary $adv$ can actively monitor and alter {$m_1,m_2,\dots ,m_i$} and {$r_1,r_2,\dots ,r_i$}, and performs two corner case experiments. □

First, a zero string of length N is injected instead of $n_i\oplus K$ to an authentic ED. Therefore, ED receives $m_i=[00\dots 00]$ and calculates $n_i=m_i\oplus K=K$. Then, the ED computes $r_i=H\left(K\right)\oplus ID$ and sends $r_i$ to the adversary. Second, all one string of length N is passed to the same ED. Similar to the first attempt, ED receives $m_i=[11\dots 11]$ and calculates $n_i=m_i\oplus K=\overline{K}$. Then, the ED computes $r_i=H\left(\overline{K}\right)\oplus ID$ and sends $r_i$ to the adversary. From these two transactions, the adversary can construct $H\left(K\right)\oplus H\left(\overline{K}\right)$ which is a more specific case for any replay attack (See Equation (13)).

Considering more general case, $adv$ can retrieve $H\left(a_i\right)$ and $H\left(a_j\right)$ if and only if $H\left(a_i\right)\oplus H\left(a_j\right)=0$; that is, $H\left(a_i\right)=H\left(a_j\right)$. This is not computationally feasible because of the collision property (see Definition 1) of a secure hash function. Therefore, the protocol $\pi$ is secured from a polynomial time adversary because it is not feasible to disintegrate $H\left(a\right)\oplus H\left(\overline{a}\right)$ into $H\left(a\right)$ and $H\left(\overline{a}\right)$.

Now, we consider a more pessimistic case where the adversary identifies $H\left(K\right)$ (and therefore violates the Theorem 1), yet we show that the protocol is secured by proving the following theorem.

Theorem 2.

If the preimage resistance definition holds, the proposed authentication protocol π is secured against an eavesdropping adversary.

Proof. 

Let us assume that a polynomial time adversary runs an algorithm $\mathcal{A}$ that can compute the inverse hash with a probability $negl\left(N\right)$. The adversary constructs an efficient algorithm ${\mathcal{A}}^{\prime }$ using the algorithm $\mathcal{A}$ as a subroutine (see Figure 3). The new algorithm is entitled "reduction", and it attempts to solve preimage identification problem. This leads to an adversary; compute $n_i$ as follows:

$$\begin{array}{ccc}\hfill n_i& =& m_i\oplus K^{\prime }=K\oplus n_i\oplus K^{\prime }\hfill \end{array}$$

(6)

$$\begin{array}{ccc}\hfill H_{adv}\left(n_i\right)\oplus r_i& =& H_{adv}\left(n_i\right)\oplus ID\oplus H\left(n_i\right)\hfill \\ \hfill & =& ID\hfill \end{array}$$

(7)

Here, ${\mathcal{A}}^{\prime }$ computes a shared key $K^{\prime }$ using $H\left(K\right)$. All future authentications can be impersonated using the Equation (7). Even though the protocol chooses a different nonce ($n_j\ne n_i$) during future authentications, it can be retrieved using shared Key K. Revealing K particularly poses a major threat because any future authentication for that particular ED can be passed. This implies a direct contradiction to the preimage resistance property of a secure hash (see Definition 2) because the algorithm $\mathcal{A}$ needs to find K from its hashed value to execute this attack. The protocol $\pi$ is secured if the preimage resistance property holds. From the above theorems, we conclude that the probability of success for $Aut{h}_{adv,\pi }(n,H_{adv},m_i,r_i,r_j)$ is negligible. □

4. Device Authentication by ID Matching

Authentication of an ED would be challenging if we consider applying SRAM PUF response as a device signature without any error correction codes. SRAM PUF outputs may vary because of temperature variation, aging degradation, and fluctuations in the supply voltage. Therefore, responses from a PUF could vary significantly if those are taken at different environmental conditions. How can we use a PUF to verify the identity of a device, if a PUF produces an unreliable ID? Response collected from a PUF during the registration phase and the response collected during authentication will necessarily match bit-by-bit. To identify a device, however, it is not imperative to match every bit of the stored and new responses. A decision can be reached if the majority of bits (above some predetermined threshold) match among these responses. If the PUF responses are too noisy, an adversary can get lucky to authenticate an illegitimate device. This vulnerability can be addressed by capturing multiple responses from the PUF in a very short duration under similar environmental conditions and perform authentication for once more. To utilize this idea we developed a repeated authentication scheme, where the gateway interrogates an ED more than once in a short duration (see details in Section 4.2). Note that this repeated authentication does not extract more stable bits to identify a device, rather than preventing an adversary to become successful in impersonating an authentic one by random guesses. We show that the probability of impersonating an authentic device twice is negligible.

4.1. Simple ID Matching

The uncertainty in the PUF output is mitigated in the proposed method primarily because the ID matching does not consider the bit-by-bit matching of the IDs during authentication. We propose to apply Hamming distance ($HD$) to calculate the similarity between stored $I{D}_S$ and received $I{D}_R$. Note that, Hamming distance indicates how many bits are different between two binary numbers.

The authentication can be performed as follows:

$$HD(I{D}_S,I{D}_R)\to \{\begin{array}{c}\le H{D}_T,\mathrm{The}\mathrm{device}\mathrm{is}\mathrm{authentic}\\ >H{D}_T,\mathrm{The}\mathrm{device}\mathrm{is}\mathrm{counterfeit}\end{array}$$

where $H{D}_T$ is the threshold that should be determined once the PUF is characterized. For instance, initially, we can set a threshold of 10 which would mean that as long as stored $I{D}_S$ and received $I{D}_R$ are mismatched at most 10 bit, the authentication will pass.

At this point, we determine the probability of impersonating an authentic ED by an adversary. Let us assume that the size of the stored ID (PUF response) is of N-bits and $H{D}_T$ is of k-bits. Now, the probability of finding one vector with exactly $(N-k)$-bit match or k-bit mismatch is as follows:

$$p=\frac{1}{2^N}{}^N{C}_{(N-k)}=\frac{1}{2^N}\left(\begin{array}{c}N\\ k\end{array}\right)$$

Thus, the probability of finding a vector with at most k-bit mismatch to pass the ID matching test becomes:

$${\displaystyle p=\frac{1}{2^N}\sum _{i=0}^k\left(\begin{array}{c}N\\ i\end{array}\right)}$$

(8)

From Equation (8), we conclude (see

Table 1. Probability of matching an ID.

Simple ID Matching

Repeated ID Matching

$H{D}_T^{†}$ = 1

$H{D}_T^{†}$ = 2

$H{D}_T^{†}$ = 4

$H{D}_T^{†}$ = 8

$H{D}_T^{†}$ = 16

$H{D}_T$

ID = 128

ID = 256

ID = 128

ID = 256

ID = 128

ID = 256

ID = 128

ID = 256

ID = 128

ID = 256

ID = 128

ID = 256

1

3.8 × 10${}^{-37}$

2.2 × 10${}^{-75}$

2.9 × 10${}^{-73}$

9.8 × 10${}^{-150}$

1.8 × 10${}^{-71}$

1.3 × 10${}^{-147}$

2.4 × 10${}^{-68}$

6.7 × 10${}^{-144}$

3.2 × 10${}^{-63}$

1.6 × 10${}^{-137}$

2.1 × 10${}^{-55}$

3.9 × 10${}^{-127}$

2

2.4 × 10${}^{-35}$

2.8 × 10${}^{-73}$

3.6 × 10${}^{-71}$

2.5 × 10${}^{-147}$

2.3 × 10${}^{-69}$

3.2 × 10${}^{-145}$

3.0 × 10${}^{-66}$

1.7 × 10${}^{-141}$

3.8 × 10${}^{-61}$

3.9 × 10${}^{-135}$

2.4 × 10${}^{-53}$

9.3 × 10${}^{-125}$

4

3.2 × 10${}^{-32}$

1.5 × 10${}^{-69}$

1.9 × 10${}^{-67}$

5.4 × 10${}^{-143}$

1.2 × 10${}^{-65}$

6.8 × 10${}^{-141}$

1.5 × 10${}^{-62}$

3.5 × 10${}^{-137}$

1.8 × 10${}^{-57}$

7.9 × 10${}^{-131}$

9.7 × 10${}^{-50}$

1.8 × 10${}^{-120}$

8

4.5 × 10${}^{-27}$

3.7 × 10${}^{-63}$

4.1 × 10${}^{-61}$

2.0 × 10${}^{-135}$

2.5 × 10${}^{-59}$

2.5 × 10${}^{-133}$

2.9 × 10${}^{-56}$

1.3 × 10${}^{-129}$

3.1 × 10${}^{-51}$

2.6 × 10${}^{-123}$

1.2 × 10${}^{-43}$

5.2 × 10${}^{-113}$

16

3.2 × 10${}^{-19}$

9.3 × 10${}^{-53}$

6.9 × 10${}^{-51}$

1.3 × 10${}^{-122}$

3.9 × 10${}^{-49}$

1.5 × 10${}^{-120}$

4.0 × 10${}^{-46}$

7.2 × 10${}^{-117}$

3.2 × 10${}^{-41}$

1.3 × 10${}^{-110}$

7.0 × 10${}^{-34}$

2.0 × 10${}^{-100}$

32

6.4 × 10${}^{-9}$

5.9 × 10${}^{-37}$

7.9 × 10${}^{-36}$

4.9 × 10${}^{-102}$

3.8 × 10${}^{-34}$

5.5 × 10${}^{-100}$

2.8 × 10${}^{-31}$

2.3 × 10${}^{-96}$

1.2 × 10${}^{-26}$

3.1 × 10${}^{-90}$

6.7 × 10${}^{-20}$

2.6 × 10${}^{-80}$

64

5.4 × 10${}^{-1}$

2.4 × 10${}^{-16}$

1.9 × 10${}^{-18}$

7.5 × 10${}^{-72}$

6.0 × 10${}^{-17}$

7.2 × 10${}^{-70}$

2.0 × 10${}^{-14}$

2.2 × 10${}^{-66}$

1.5 × 10${}^{-10}$

1.6 × 10${}^{-60}$

2.1 × 10${}^{-5}$

3.7 × 10${}^{-51}$

for details) that the attacker has a low probability of authenticating an illegitimate device.

Although the success probability for adversaries passing authentication is indeed insignificant, this is not sufficient to prevent guessing an ID by random trials when there are many unreliable bits in an ID. This is not unlikely if an ED uses an SRAM PUF without any error correction code. Hence, it is essential to further improve the simple matching scheme.

4.2. Repeated ID Matching

It is not likely that an attacker will authenticate a fake device a second time consecutively, unless the communication protocol described in Section 3.1 is broken. This section describes a repeated ID matching scheme, where an ED is certified as authentic if it passes two consecutive ID verification tests. In addition, we can extract more stable bits from the PUF response during the second ID matching by discarding unreliable bits. Unreliable bits can be defined as the bits which flip during the first ID matching, are and computed using the following equation:

$$I{D}_R\left[i\right]\ne I{D}_S\left[i\right]$$

where $I{D}_R$ and $I{D}_S$ are the received and stored PUF responses, respectively.

The repeated authentication scheme is described in the following steps:

• The gateway requests $l^{th}$ edge device ($E{D}_l$) for its device ID by sending $n_1\oplus K_l$. The ED returns encrypted $I{D}_R$ ($H\left(n_1\right)\oplus I{D}_R$). The gateway first decrypts the ID (see Equation (4), and then computes the mismatch locations of the received ID ($I{D}_R\left[i\right]\ne I{D}_S\left[i\right]$). A robust ID $RID$ is created by discarding mismatch bits. Additionally, the gateway keeps track of the mismatch locations.

  $$RID\left[k\right]=I{D}_R\left[i\right],\mathrm{if}I{D}_R\left[i\right]=I{D}_S\left[i\right];0<k<i<N$$

  (9)
• The gateway again requests $E{D}_l$ for its ID by sending $n_2\oplus K_l$, ($n_1\ne n_2$). Similar to the first authentication, $E{D}_l$ then returns the encrypted $I{D}_R$, ($H\left(n_2\right)\oplus I{D}_R$). This is decrypted in the gateway side using the Equation (4). Then, the gateway computes the new robust ID ($RI{D}^{*}$) by using Equation (9).
• The two robust IDs are compared by using Hamming distance, which is described below:

  $$HD(RID,RI{D}^{*})\to \{\begin{array}{c}\le H{D}_T^{†},\mathrm{The}\mathrm{device}\mathrm{is}\mathrm{authentic}\\ >H{D}_T^{†},\mathrm{The}\mathrm{device}\mathrm{is}\mathrm{counterfeit}\end{array}$$
  Note that PUF produces a similar response for similar conditions; therefore, $H{D}_T^{†}$ is much less than $H{D}_T$. It is important to keep in mind that depending on the expected security of the system one can implement an authentication scheme that uses more than two repeated IDs from the same device.

Now, let us calculate the probability of authenticating a device twice by an adversary. We assume that the size of the stored ID is of N-bits, $H{D}_T$ is of k-bits, and $H{D}_T^{†}$ is of r-bits ($r<k$). The probability of passing two repeated authentication becomes:

$$p=\frac{1}{2^N}{\displaystyle \sum _{i=0}^k\left(\begin{array}{c}N\\ i\end{array}\right)}\times \frac{1}{2^{(N-k)}}{\displaystyle \sum _{i=0}^r\left(\begin{array}{c}N-k\\ i\end{array}\right)}$$

(10)

It is clear from the Equation (10) that the probability of successful authentication is significantly reduced if repeated authentications are performed. Successive failed authentication can also be prevented simply by implementing a counter in the gateway to keep track of the failed attempts. If the count crosses some threshold, that can raise a flag.

5. Security Analysis

We provide a detailed security analysis in this section by showing the attack success probabilities and show that the proposed protocol is robust against known attacks, such as denial of service, the replay attack, and different physical attacks.

5.1. Probability Analysis for Proper ID Matching

For a fixed ID length, Hamming distance plays an important role that could reduce the chance of impersonating a device. A smaller Hamming distance makes it harder for an attacker to guess an ID by random trials. However, the reliability of a PUF determines the Hamming distance in this case. Simple ID matching should be enough for a reliable PUF to prevent cloning. However, repeated ID matching can provide the solution for even a very unreliable PUF.

Table 1 lists the probabilities of matching IDs for both a simple ID matching scheme (see Section 4.1) and the proposed repeated ID matching scheme (see Section 4.2). The analysis here considered 128-bit and 256-bit device IDs. The Hamming distances ($H{D}_{T}s$) chosen for the analysis are 1, 2, 4, 8, 16, 32, and 64. The PUFs are considered very reliable when $H{D}_T$ values are 1, 2, and 4. On the other hand, we also consider very noisy PUFs where 32 or 64 bits may be flipped during authentication. As expected, the probabilities of ID matching increase with an increase of $H{D}_T$. This is intuitive, as an adversary has a lesser required effort for matching an ID. For a reliable PUF, an attacker has a significantly low probability of matching an authentic ID. For example, the probability of finding a match becomes $4.5\times {10}^{-27}$ and $3.7\times {10}^{-63}$ considering an $H{D}_T$ of 8, when the IDs are 128 bit and 256 bit respectively. However, the probability increases significantly to $5.4\times {10}^{-1}$ and $2.5\times {10}^{-16}$ considering $H{D}_T$ of 64 for an ID of 128 and 256 bits, respectively.

For the repeated ID matching scheme, the Hamming distances ($H{D}_T^{†}s$) chosen for the second stage of the authentication process were of 1, 2, 4, 8, and 16 bits. As before, the probability of ID matching is higher with an increase of $H{D}_T^{†}s$. However, it is much less when we compare it to the simple ID matching scheme. We now have a significant improvement of not finding an ID, as the probability has decreased significantly. For example, the probability of finding an ID is $1.9\times {10}^{-18}$ for a PUF that is heavily impacted by aging (64 out of 128 bits are unstable) assuming stable bits remain stable ($H{D}_T^{†}$ is of 1). For a 128 bit ID, we also have a very low probability of $1.5\times {10}^{-10}$ and $2.1\times {10}^{-5}$ with $H{D}_T^{†}$ of 8 and 16 bits, respectively. For a 256 bit ID, it is fairly impossible for an adversary to pass the repeated ID matching scheme even though PUF responses are unreliable.

5.2. Denial of Service (DoS) Attack

When an adversary intentionally stages a failed authentication for a genuine ED so that it cannot be in service, it is known as denial of service attack. For example, a security camera can be disabled by making it fail to register itself to the server. For the protocol presented in this paper, an attacker can eavesdrop the communication between ED and gateway G. Every authentication starts with a nonce $n_i$ generation in the G, and then $n_i$ is sent $l^{th}$ ED as $m_i$ = $K_l\oplus n_i$. In response, the ED returns $r_i=H\left(n_i\right)\oplus I{D}_l$ to the G. At this point, an attacker can intercept $r_i$ and feed a modified version as $r_i^{*}$. This would certainly fail the authentication as G will fail to reconstruct the $I{D}_l$. To prevent this attack, the proposed protocol needs the following modification:

5.2.1. First Authentication

• G generates a random nonce $n_i$, and sends it as $m_i$ = $K_l\oplus n_i$ to $E{D}_l$.
• $E{D}_l$ returns $r_i=H\left(n_i\right)\oplus I{D}_l$ to the gateway as response. Attacker eavesdrops and replaces $r_i$ with $r_i^{*}(\ne r_i)$.
• G retrieves $I{D}_l^{\left(1\right)}$ as the ID of $E{D}_l$ by computing $I{D}_l^{\left(1\right)}$ = $H\left(n_i\right)\oplus r_i^{*}$. Since the $I{D}_l\ne I{D}_l^{\left(1\right)}$, the authentication fails.

5.2.2. Second Authentication

• G generates a random number $n_j(\ne n_i)$ and sends $m_j$ = $K_l\oplus n_j$ to $E{D}_l$.
• $E{D}_l$ returns $r_j=H\left(n_j\right)\oplus I{D}_l$ back to the gateway. Similarly to the first authentication phase, an attacker may eavesdrop and send $r_j^{*}(\ne r_j)$ to the gateway.
• Gateway retrieves $I{D}_l^{\left(2\right)}\ne I{D}_l$ as the ID of the ED is $I{D}_l$ and authentication fails.
• Finally, gateway verifies the $I{D}_l^{\left(1\right)}$ and $I{D}_l^{\left(2\right)}$ to determine whether an attack has been launched.

According to the Table 1, the probability of matching these two IDs is very low.

5.3. Replay Attack

An attacker attempts to authenticate an ED by impersonating the ID using prior communications. We assume that an attacker does not have access to the secret key ($K_l$), which is stored in the $E{D}_l$. Let us assume that the attacker observes two prior communications. First, he/she observes $n_1\oplus K_l$ from the gateway and $H_{n_1}\oplus I{D}_l$ from $E{D}_l$. From this observation the attacker can compute $K_l\oplus I{D}_l\oplus n_1\oplus H_{n_1}$, which is shown below:

$$(n_1\oplus K_l)\oplus (H_{n_1}\oplus I{D}_l)$$

(11)

From the second communication, the attacker observes $n_2(\ne n_1)\oplus K_l$ from the gateway and $H_{n_2}\oplus I{D}_l$ from $E{D}_l$, and can compute $K_l\oplus I{D}_l\oplus n_2\oplus H_{n_2}$.

Now the attacker can perform the following operations:

$$(n_1\oplus K_l)\oplus (n_2\oplus K_l)=n_1\oplus n_2$$

(12)

$$(H_{n_1}\oplus I{D}_l)\oplus (H_{n_2}\oplus I{D}_l)=H_{n_1}\oplus H_{n_2}$$

(13)

From Equation (13), it is obvious that an adversary successfully replays a prior communication if it becomes zero, when $H_{n_1}=H_{n_2}$. This would certainly contradict the collision property of a secure hash [30]. Thus, the communication protocol becomes is resistant to replay attack, when it has been implemented with a secure hash function (SHA-2 or SHA-3).

5.4. Physical Attacks

We need to use a tamper-proof memory to store the secret key $K_l$ in the ED. As discussed previously $K_l$ is shared between the gateway and ED, and so a breach in this information will break the security of the protocol. Reverse engineering and physical attack can be a way to steal this secret information. Nowadays, sophisticated optical microscopes can capture high-resolution 3D images of a microchip. Scanning electron microscopes and transmission electron microscopes can produce images of different inner layers of a microchip. Chipworks (now TechInsights) have performed such experiments legitimately for competitive analysis and patent research. The physical layout of a chip can be constructed from a legitimate chip through destructive physical attacks as well. Infrared backside imaging can reveal stored data in an NVM. All these physical attacks can be used to reveal secret information. Since our proposed protocol uses PUF for ID generation, this ID will be different for different EDs. Performing a physical attack will expose the unique key $K_l$, and thus the PUF generated ID of $E{D}_l$ only and not any other devices. From the financial point of view, this does not provide a strong motivation for an adversary to launch physical attacks.

6. Implementation Details

In this section, we show that the proposed protocol can be efficiently implemented with low code overhead using commercial resource-constrained devices. Arduino Mega [66] and Raspberry Pi-3 model B (RPi) [67] have been used as the ED and gateway, respectively. Note that Arduino Mega is equipped with an ATMEGA2560 microcontroller [68] that contains 8KB SRAM and 256KB flash storage. We exploit the uninitialized power-up states of this SRAM to generate device signature (i.e., ID). Figure 4 shows the implementation setup. The proposed protocol is implemented into two phases, enrollment phase and authentication phase, which are described in the following.

6.1. Enrollment Phase

The objective of the enrollment phase is to read the unclonable device ID of an ED and store it in a secure database for future authentication. The uninitialized memory space between the stack pointer (SP) and the heap pointer (HP) is extracted to generate device ID. Figure 5 illustrates the memory space for a typical microcontroller. Note that the memory space between HP and SP shrinks or expands depending on the workload of a particular firmware. However, we can capture initial SP during the program start-up and keep track of the changes to get the SRAM data from the preset address range every time the ID is constructed. We present ID extraction and setup in Algorithm 1. The ID extraction flow and all data processing in the enrollment phase are written in Python, whereas the firmware for the ID extraction is written in C. All the operations involved in this implementation use 256-bit data. Algorithm 1 lists the steps to extract the signature of a device and is described as follows:

• A host computer starts executing Algorithm 1. fullRAMSpace firmware is loaded in the microcontroller, and it reads the available uninitialized memory between HP and SP. The uninitialized memory of the SRAM is shifted out through the serial port and captured on the host computer. These data are stored in a variable M (Line 1). Note that fullRAMSpace firmware contains only subroutines that extract SRAM data and communicates with the host computer.
• Authentication subroutine and user application subroutines, data acquisition, monitoring, etc., are combined in usableIDSpace firmware and loaded into the microcontroller. Similarly to Step 1, the available uninitialized SRAM data are shifted out and stored in a variable $M^{\prime }$ in the host computer (Line 2).
• longestMatchingString(M,$M^{\prime }$) is a string matching algorithm implemented in Python (running in the host computer) that returns the longest common string and its indices. For example, fullRAMSpace firmware retrieves 7176 bits from M, and usableIDSpace firmware retrieves 6312 bits from $M^{\prime }$. The string matching algorithm returns the lowest index, L, and highest index, H of the longest matched string (Line 3). For this specific example, a matched string starts from $M^{\prime }\left[4144\right]$ to $M^{\prime }\left[5819\right]$ (total 209 bytes). Since SRAM has inherently unstable bits, for 256-bit (32 bytes) ID we take $(32+e)$ bytes from an approximately equal distance away from $M^{\prime }\left[L\right]$ and $M^{\prime }\left[H\right]$. Here, e must be at least as large as the number of possible unstable bits in the address range selected for ID generation. Memory space for ID generation has been selected approximately in the middle of the matched string so that the processor does not read initialized values from the stack and static data segment during ID extraction. This is important because, during the execution of the user program, HP and SP grow toward each other and may interfere with the ID generation space. $IDStart$ parameter changes depending on the relative position of HP and SP for each device. Line 4 calculates the starting index of the ID as $\frac{L+H}{2\times 8}$. Here, 8 in the denominator indicates the bit width of the memory. Address range for ID generation will be $M\left[IDStart\right]$ to $M[IDStart+(e-1\left)\right]$.
• Once the range $M\left[IDStart\right]$ to $M[IDStart+(e-1\left)\right]$ is known with an initial value of e, $unstableCellLocation\left(\right)$ function is loaded in the ED, and unstable bits are identified with hardware support (e.g., power-up circuitry). $unstableCellLocation\left(\right)$ function returns the location of unstable bits and stable bits of the $I{D}^{\prime }$ (Line 5–7). These unstable bit locations are stored in the MCU as an array usCells (Line 8). For this experiment, we selected $e=10$ which initially assumes 76.2% stable uninitialized bits of the SRAM [69]. This parameter will vary based on the implementation platform, which can be selected with a few trials of power-ups or data reminiscence approach.
• The ID is extracted discarding the unstable bits in Lines 10–12. Then, $usCell$, $IDStart$, e, and shared key K are loaded into the MCU. Finally, the device ID is stored in the database for future authentication.

The approach described above makes each ED unique because of the inherent randomness in the power-up state of SRAM, inter-device variability of $IDStart$, and $usCell$ array.

6.2. Authentication Phase

Authentication phase executes the protocol (Figure 2) in the gateway and edge devices connected to it.

• In this phase, gateway G starts authentication by sending a token to the ED. Since the token is specific (and public) to an ED, only a particular ED will respond to the authentication request from the G. Along with the token G also sends a nonce $n_i$ encrypted with shared key K.
• At ED, $n_i$ is retrieved and converted into a hash using the SHA-2 algorithm. Then, ED runs the ID extraction subroutine that constructs a 256-bit stable ID from SRAM using address range preset during the enrollment phase. ID and $SHA-2\left(n_i\right)$ strings are processed to get XOR’ed value $r_i$.
• The encrypted ID retrieved from ED ($r_i$) is decrypted in the G as $I{D}^{\prime }=SHA-2\left(n_i\right))\oplus r_i$ and compared with a stored ID. A successful first authentication would trigger another authentication attempt as described in Section 4.2.

6.3. Overhead Analysis

As it is important to have low area and timing overhead in an IoT device, we present analysis in this subsection. The overall code overhead due to the authentication function is 3.65%. The overhead primarily comes from the hash algorithm and string processing. The hardware overhead is only from the memory requirement for storing the symmetric key (K), which is 256-bit in this implementation. Note that no additional hardware is needed to implement the PUF. Considering the importance of security in the IoT infrastructure, this overhead is quite insignificant. Note that no hardware modifications are necessary for EDs, which makes our solution feasible for adopting various low-cost applications. Note that the timing overhead will not throttle the performance of the IoT devices, as the proposed protocol is only used for authentication of an ED after the power-up of a device or at a large regular time interval. The implementation presented in the paper uses approximately a million cycles in ATMEGA2560 running at 16MHz for each authentication, which is practically within a few tens of milliseconds and can be ignored.

6.4. Reliability Analysis

Since ID generation would require randomness in the power-up states of SRAMs among different devices, we need to analyze the reliability of our proposed ID generation scheme. We analyzed the power-up states of built-in SRAM to show the probability of the authentication of a random device as genuine is rather negligible. The uniqueness and randomness of an SRAM-PUF are assured by the normal distribution of fractional inter-class Hamming distance (HD) [69] with a mean at 40.2%. We choose the minimum value of HD ($H{D}_{min}$) to calculate the collision probability of IDs between two different devices. For normal distribution, confidence interval (CI) for mean $\mu$ is of the form $l\le \mu \le u$, where u and l are upper and lower confidence limits respectively. The limits are calculated as $\overline{x}\pm z_{\alpha /2}\times \frac{\sigma }{\sqrt{s}}$, where $1-\alpha$ is the confidence coefficient of a standard normal distribution [70]. Considering lowest limit of the mean $\mu$, the probability of matching two IDs becomes $\frac{2^{N*(1-l)}-1}{2^N-1}$. For example, Figure 6 shows the distribution of $H{D}_{min}$ with sample mean $\overline{x}=0.3436$ and standard deviation $\sigma =0.024$ with $s=500$ samples. We can estimate that 99% CI is $0.3409\le \mu \le 0.3464$ for 256-bit ID, and the probability of generating two devices with a same ID is $\frac{2^{256(1-0.3464)}-1}{2^{256}-1}\approx 6.46\times {10}^{-27}$, which is insignificant.

7. Conclusions

In this paper, a novel, low-cost authentication protocol has been proposed. Production cost reduction without sacrificing security for IoT applications is an extremely difficult task. In addition, a standard cryptographic scheme’s implementation in ED is prohibitively expensive because of the limited resources (e.g., energy) available during operation. We presented a low-cost protocol that uses a secure hash function to authenticate an edge device in an IoT network. The protocol is designed to utilize already available on-chip resources, which fits it in the domain of low-cost applications, such as IoT. We exploited built-in SRAM to generate unclonable "digital fingerprint" of an IoT edge device and used firmware to extract the fingerprint. Aging degradation and temperature variation make it challenging to implement reliable SRAM-PUF. Our proposed repeated ID matching scheme that utilizes Hamming distance eliminates this inherent PUF unreliability. Thorough security analysis shows that the probability of ID impersonation by an attacker is extremely low. The protocol is implemented in a commercial microcontroller, and the overhead of implementation is only a small part of the memory for the firmware.