Elsevier

Information Sciences

Volume 503, November 2019, Pages 307-318
Information Sciences

Physical unclonable functions based secret keys scheme for securing big data infrastructure communication

https://doi.org/10.1016/j.ins.2019.06.066Get rights and content

Abstract

Internet of Things (IoT) is expanding rapidly and so is the number of devices, sensors and actuators joining this world. IoT devices are an important part of the data collection process in Big Data systems, so by protecting them we support and improve the security of the whole system. ZigBee is a secure communication system for the underlying Internet of Things (IoT) infrastructure. Even though ZigBee has a strong security stack built on a variety of secret keys, ZigBee devices are vulnerable to the side-channel and key extraction attacks. Due to the low cost and limited resources, most ZigBee devices store their secret keys in plaintext. In this paper, we focus on protecting the storage of ZigBee secret keys and show how Physical Unclonable Functions (PUFs) can help the ZigBee devices to be robust tamper-resistant against the physical attacks. The proposed schemes include PUF-based key storage protection and key generation. The experiments in this paper were done using SRAM-PUF. Furthermore, two algorithms were proposed to overcome the defects in the randomness of keys generated using SRAM-PUF and, at the same time, to increase the reliability of these keys. We were able to significantly improve the hardware security of ZEDs by protecting their keying materials using costless, high secure, random, stable and volatile PUF-based secret keys.

Introduction

With the rapid development of IoT and the emerging of new technology applications and projects, such as smart home, intelligent transport, smart cities and smart energy, many researchers and companies start to pay more attention to the IoT communication infrastructure in order to handle the fast growth in the number of connected devices [22]. As a result, new communication systems have been introduced to meet the demands of low-power consumption, devices management and ensuring the security of the connection by applying ciphering and policies. In addition, new technologies such as blockchain have been deployed to build a decentralized and trustworthy structure for ID management in IoT [17]. With the penetration of IoT into our daily life, sensors are sending sensitive data which could be medical or personal [15]. Therefore, there are many proposed researches to protect the end-user data whether they are on the infrastructure level [12], the cloud storage level [16] or any point along the IoT system architecture. IoT security is non-negotiable, and it is mandatorily required in every new technology joining the IoT world [5].

ZigBee was invented as a new communication system to be used in IoT underlying infrastructure in order to satisfy the demands of security, scalability and power consumption management. It is an open stack suitable for the sensing and control networks. In addition, it provides a good built-in security scheme at both of the network and the application layers. The security services provided by ZigBee include methods for key establishment, key transport, frame protection and device management. ZigBee security system deploys a variety of secret keys which can be used by IoT applications to guarantee secure transmission of the raw data and control commands. Since all messages sent over the air are secured with ZigBee secret keys, ZigBee security services are tightly correlated to the safe installation and storage of the keys materials [2]. However, invoking these secret keys will break the whole system down and could lead to severe problems. As shown in Table 1, there are six types of secret keys defined by the ZigBee Alliance. Some of them, such as master key, link key and network (NWK) key, could be pre-configured and stored in the Non-Volatile Memory (NVM), while the others, such as data-key key, key-load key and key-transport key, are derived from the link key during the runtime by executing keyed Hash Message Authentication Code (HMAC) [2]. Even though each layer in ZigBee has its own secret keys, ZigBee standard allows NWK keys to be used at both of the network and the application layers. Because each layer runs its own ciphering operations, the secret keys at different layers should not be the same to avoid unnecessary iteration encryption using the same secret key. All the secret keys used in ZigBee, mentioned in Table 1, need protection to ensure ZigBee network security. The most serious attack targeting the secret keys is reading them out from the NVM. In secure ZigBee network, at least one key (master key or link key) should be pre-installed in the device before it is deployed in the system, in which way the device can safely receive the active NWK key sent by the Trust Center (TC) and encrypted by key-transport key. Most of ZigBee devices are configured with Advanced Encryption Standard (AES) specified-hardware which is usually a co-processor for executing AES encryption/decryption operations because AES-128 is the only cryptographic algorithm adopted by ZigBee Alliance [2].

Nowadays, physical attacks against cryptography systems represent a big challenge to the modern technologies due to the advanced tools used by attackers in order to extract critical information from the hardware devices (known as side-channel attacks) or inject false data in an attempt to break the system security down (known as fault injection attacks) [3]. All that threatens the plaintext traditional key storage of the security systems especially in the high-risk areas. Cryptographic algorithms in modern technology are so strong that they can protect the logical links between endpoint devices. Therefore, physical devices have become the most vulnerable point in the whole security system [18]. As a result, many researchers are working on hardware security because physical attacks are as dangerous as other threats and can endanger the security of IoT in general and the Field Programmable Gate Arrays (FPGA) devices in particular [14].

Hardware Intrinsic Security (HIS) is one of the strongly recommended solutions to enhance the hardware security of devices starting by, but not limited to, securing secret key storage. One of the famous HIS implementations is Physical Unclonable Function (PUF). The main concept of PUF is extracting useful information from the intrinsic physical properties of the objects. Researchers found that slight mismatches in some physical characters, such as threshold voltage and mobility in Metal-Oxide Semiconductor (MOS), still exist even when producing identical electronic elements because of uncontrollable production variations. Nowadays, there are many types of PUFs which use different mismatches sources and can meet the hardware key requirements of being random, unpredictable, and tamper-resistant. Any attempt to remove the PUF will come with a high risk of destroying it and wasting the key forever [20]. PUF could be used for circuit identification, such as assigning an ID to a circuit or a device [9], as a seed for a pseudo-random number generator [1], as a secret key generator [11] and for authentication using Challenge-Response pairs (CRPs) [21].

The most commonly used PUF for securing the storage of secret keys are the memory-based PUFs for two reasons [6]: first, their components, such as SRAM, latches and flip-flops, are widely used by electronic devices or FPGAs; second, generating the memory-based PUFs output when needed is relatively easier and quite faster than generating the output of other categories.

In this paper, we focused on Static Random Access Memory (SRAM-PUF) [13] to be used in protecting ZigBee keys storage. SRAM-PUF output is generated by reading the Start-up Values of SRAM Cells (SVSCs) of the local devices. We have chosen SRAM-PUF because SRAM is already used as a fast memory in many electronic systems nowadays, and thus, there is no need to add extra components to benefit from the PUF. The key contributions of this paper are as follows;

  • Two algorithms were proposed to overcome the defects in the randomness of keys generated using SRAM-PUF and, at the same time, to increase the reliability of these keys.

  • We have proved that SRAM-PUF can effectively protect the keying materials of ZigBee devices whether by generating the secret keys or by securing the secret keys stored in the NVM of the local device with no need to install any new equipment.

The remaining part of this paper is organized as follows: section II is a literature review; section III covers SRAM-PUF experiments and improvements; section IV is about securing ZigBee devices using PUF; section V concludes our work and future work.

Section snippets

Related works

SRAM-PUF was introduced by Guajardo et al. in [10] and Holcomb et al. in [13] where PUF randomness comes from the SVSCs. Each SRAM cell can represent one bit which could be 0 or 1. Choosing one of those initial states when the SRAM cell is powered on corresponds to the production process variations of its components, especially the MOS transistors, which makes the initial states random and unpredictable. Experimental results in previous researches [13] showed that the majority of the cells are

SRAM-PUF based encoding method

We have used SRAM-PUF to generate a hardware key, and the experiment was done by using the ZigBee devices Texas Instruments CC2530 which have SRAM memory with the size of 256B. In order to calculate the reliability of SVSCs, we have read the SVSCs 100 times for each device. Then, we calculated how often each individual cell started with 0 and 1. After counting the iteration rate of 0 and 1 value readings for each cell, we marked the cells as 0-biased or 1-biased depending on the most frequent

Integrating SRAM-PUF with zigbee security system model

As aforementioned in this paper, PUF can be used for securing ZigBee secret keys. When ZigBee network is working in high-security mode, the TC will list the network devices with their master and link keys. In addition, network devices will be pre-configured with at least a master key to be able to establish a link key and then securely acquire the active NWK key. When a ZED is not pre-installed with a master key, the active NWK key will be sent in plaintext to the newly joined device. If the

Conclusion

IoT data occupies a large part of the big data system sources, and protecting this data on the infrastructure level is mandatory for the safety of the whole system. In this paper, we have presented PUF-based secret keys scheme to secure the memories in ZigBee physical devices by providing random, reliable and real-time generated hardware keys. PUF is considered a good solution for the devices with limited resources since it does not require any storage space and consumes little power to

Declaration of competing interest

None.

Acknowledgments

This work was supported by the National Natural Science Foundation of China under Grant 61872038, 61811530335, and in part by the Fundamental Research Funds for the Central Universities under Grant FRF-BD-18-016A.

Fadi Farha received his Master degree and currently working toward Ph.D. degree in the school of computer and communication engineering, University of Science and Technology Beijing, China. His current research interests include Physical Uncolnable Function (PUF), Smart Home, Security Solutions, ZigBee, Computer Architecture and Hardware Security. He is a student member of IEEE. E-mail: [email protected]

References (22)

  • M. Akriotou et al.

    Random number generation from a secure photonic physical unclonable hardware module

    The 1st International ISCIS Security Workshop

    (2018)
  • Z. Aliance

    Zigbee specification document 053474r20

    ZigBee Standard Organisation

    (2012)
  • F. Armknecht et al.

    A formalization of the security features of physical functions

    (2011)
  • C. Böhm et al.

    Physical Unclonable Functions in Theory and Practice

    (2012)
  • U. Chatterjee et al.

    A PUF-based secure communication protocol for IoT

    ACM Trans. Embedded Comput. Syst.(TECS)

    (2017)
  • I. Eichhorn et al.

    Logically Reconfigurable PUFs, Memory-Based Secure Key Storage

    (2011)
  • A. Garg et al.

    Design of SRAM PUF with improved uniformity and reliability utilizing device aging effect

    2014 IEEE International Symposium on Circuits and Systems (ISCAS)

    (2014)
  • B. Gassend, M. van Dijk, D. Clarke, S. Devadas, Controlled Physical Random Functions, Springer London, pp. 235–253....
  • B. Gassend et al.

    Identification and authentication of integrated circuits

    Concurrency Comput. Pract. Exp.

    (2004)
  • J. Guajardo et al.

    FPGA intrinsic PUFs and their use for ip protection

    International Workshop on Cryptographic Hardware and Embedded Systems

    (2007)
  • O. Günlü et al.

    Secure and reliable key agreement with physical unclonable functions

    Entropy

    (2018)
  • Cited by (6)

    Fadi Farha received his Master degree and currently working toward Ph.D. degree in the school of computer and communication engineering, University of Science and Technology Beijing, China. His current research interests include Physical Uncolnable Function (PUF), Smart Home, Security Solutions, ZigBee, Computer Architecture and Hardware Security. He is a student member of IEEE. E-mail: [email protected]

    Huansheng Ning is a professor and vice dean of the School of Computer and Communication Engineering, University of Science and Technology Beijing, China. His current research focuses on the Internet of Things and general cyberspace. He is the founder of the Cyberspace and Cybermatics International Science and Technology Cooperation Base. His research interests include Cybermatics, Internet of Things, Cyber-Physical Social Systems. E-mail: [email protected]

    Hong Liu received her PhD degree from the School of Electronic and Information Engineering, Beihang University, China. she is working at the School of Computer Science and Software Engineering, East China Normal University, China, and also with the Shanghai Trusted Industrial Control Platform Co., Ltd, China. She focuses on the security and privacy issues in radio frequency identification, vehicle-to-grid (V2G) networks, and internet of things. She is a member of the IEEE. E-mail: [email protected]

    Laurence Tianruo Yang received PhD degree in computer science from the University of Victoria, Canada. He is a professor in the Department of Computer Science, St. Francis Xavier University, Canada. His research interests include parallel and distributed computing, embedded and ubiquitous computing, and big data. His research had been supported by the National Sciences and Engineering Research Council and Canada Foundation for Innovation. E-mail: [email protected]

    Liming Chen is a Professor of computer science in the School of Computer Science and Informatics, De Montfort University. He has worked as a Senior Research Fellow in the School of Electronics and Computer Science, University of Southampton, and a Lecturer, a Senior Lecturer, and a Reader in the School of Computing and Mathematics, University of Ulster. His current research interests include intelligent systems, pervasive computing, activity modeling and recognition, personalization and adaptation, smart environment, and their application in ambient-assisted living. He has served a Guest Editor for ten journal special issues and six books, and an Associate Editor for the IEEE TRANSACTIONS ON HUMAN MACHINE SYSTEMS. E-mail: [email protected].

    View full text