Authentication technology provides access control for systems by checking whether a user s credentials match the credentials in a database of authorized users or in a data authentication server. The security level of this authentication method depends greatly on protection and protocol design.
PUFauth provides an integrated PUF-based hardware solution including protocol design, key protection and session-key generation.
Symmetric authentication with robust protection of shared secret and high-quality nonce: PUFauth
One of the most commonly used authentications for chips is challenge-response authentication. An example is described below. In the beginning, a two-way authentication scheme has a shared key on both sides. An authentication raised by a host usually transmits a nonce as a challenge. After the client side receives this nonce, it will encrypt the nonce and send it back to the host as a response. The host will also encrypt a nonce by itself. Lastly, once a host receives an encrypted nonce sent by a client, it will check whether the encrypted nonces are the same to verify a client s identity.
Using a one-time nonce can ensure that every challenge-response sequence is unique. Such encrypted or hashed exchanges do not directly reveal data or shared secrets to an eavesdropper. Moreover, a randomly generated nonce on each exchange guards against replay attacks, where attackers simply record the exchanged data and retransmit it later as another authentication. Such an attack may supply enough information to let an eavesdropper deduce what the shared key is by using a dictionary attack or brute-force attack.
Secure authentication relies on the robustness of shared key protection and protocol design. PUFauth integrates both PUFkeyst and PUFtrng to enhance the strength of shared key protection and higher quality nonce generated by PUFtrng. Moreover, for two-chip authentication scenarios, if the chip is enabled with Elliptic Curve Cryptography (ECC), PUFauth can use ECC to generate shared keys from PUFuid by a Diffie-Hellman key exchange. This can add another layer of protection and eliminate key-management issues.