Paper 2022/292

Comment on ``SRAM-PUF Based Entities Authentication Scheme for Resource-constrained IoT Devices''

Michael Amar, Amit Kama, Kang Wang, and Yossi Oren

Abstract

The cloud-based Internet of Things (IoT) creates opportunities for more direct integration of the physical world and computer-based systems, allowing advanced applications based on sensing, analyzing and controlling the physical world. IoT deployments, however, are at a particular risk of counterfeiting, through which an adversary can corrupt the entire ecosystem. Therefore, entity authentication of edge devices is considered an essential part of the security of IoT systems. A recent paper of Farha et al. suggested an entity authentication scheme suitable for low-resource IoT edge devices, which relies on SRAM-based physically unclonable functions (PUFs). In this paper we analyze this scheme. We show that, while it claims to offer strong PUF functionality, the scheme creates only a weak PUF: an active attacker can completely read out the secret PUF response of the edge device after a very small amount of queries, converting the scheme into a weak PUF scheme which can then be counterfeited easily. After analyzing the scheme, we propose an alternative construction for an authentication method based on SRAM-PUF which better protects the secret SRAM startup state.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Preprint.
Keywords
IOTPUF
Contact author(s)
yos @ bgu ac il
History
2022-03-07: received
Short URL
https://ia.cr/2022/292
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2022/292,
      author = {Michael Amar and Amit Kama and Kang Wang and Yossi Oren},
      title = {Comment on ``{SRAM}-{PUF} Based Entities Authentication Scheme for Resource-constrained {IoT} Devices''},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/292},
      year = {2022},
      url = {https://eprint.iacr.org/2022/292}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.