The Internet of Things gets a new 10 times more reliable security feature

Rice’s new design for creating security keys with a physically unclonable function (PUF) proved more reliable, more energy efficient and smaller than previously published PUF technologies. (Photo by Jeff Fitlow/Rice University)

‘Physically unclonable function’ is 10 times more reliable than previous methods

Rice University integrated circuit (IC) designers are at Silicon Valley’s premier chip-design conference to unveil technology that is 10 times more reliable than current methods of producing unclonable digital fingerprints for Internet of Things (IoT) devices.

Rice’s Kaiyuan Yang and Dai Li will present their physically unclonable function (PUF) technology today at the 2019 International Solid-State Circuits Conference (ISSCC), a prestigious scientific conference known informally as the “Chip Olympics.” PUF uses a microchip’s physical imperfections to produce unique security keys that can be used to authenticate devices linked to the Internet of Things.

Considering that some experts expect Earth to pass the threshold of 1 trillion internet-connected sensors within five years, there is growing pressure to improve the security of IoT devices.

Yang and Li’s PUF provides a leap in reliability by generating two unique fingerprints for each PUF. This “zero-overhead” method uses the same PUF components to make both keys and does not require extra area and latency because of an innovative design feature that also allows their PUF to be about 15 times more energy efficient than previously published versions.

“Basically each PUF unit can work in two modes,” said Yang, assistant professor of electrical and computer engineering. “In the first mode, it creates one fingerprint, and in the other mode it gives a second fingerprint. Each one is a unique identifier, and dual keys are much better for reliability. On the off chance the device fails in the first mode, it can use the second key. The probability that it will fail in both modes is extremely small.”

As a means of authentication, PUF fingerprints have several of the same advantages as human fingerprints, he said.

“First, they are unique,” Yang said. “You don’t have to worry about two people having the same fingerprint. Second, they are bonded to the individual. You cannot change your fingerprint or copy it to someone else’s finger. And finally, a fingerprint is unclonable. There’s no way to create a new person who has the same fingerprint as someone else.”

PUF-derived encryption keys are also unique, bonded and unclonable. To understand why, it helps to understand that each transistor on a computer chip is incredibly small. More than a billion of them can be crammed onto a chip half the size of a credit card. But for all their precision, microchips are not perfect. The difference between transistors can amount to a few more atoms in one or a few less in another, but those miniscule differences are enough to produce the electronic fingerprints used to make PUF keys.

For a 128-bit key, a PUF device would send request signals to an array of PUF cells comprising several hundred transistors, allocating a one or zero to each bit based on the responses from the PUF cells. Unlike a numeric key that’s stored in a traditional digital format, PUF keys are actively created each time they’re requested, and different keys can be used by activating a different set of transistors.

Adopting PUF would allow chipmakers to inexpensively and securely generate secret keys for encryption as a standard feature on next-generation computer chips for IoT devices like “smart home” thermostats, security cameras and lightbulbs.

Encrypted lightbulbs? If that sounds like overkill, consider that unsecured IoT devices are what three young computer savants assembled by the hundreds of thousands to mount the October 2016 distributed denial-of-service attack that crippled the internet on the East Coast for most of a day.

“The general concept for IoT is to connect physical objects to the internet in order to integrate the physical and cyber worlds,” Yang said. “In most consumer IoT today, the concept isn’t fully realized because many of the devices are powered and almost all use existing IC feature sets that were developed for the mobile market.”

In contrast, the devices coming out of research labs like Yang’s are designed for IoT from the ground up. Measuring just a few millimeters in size, the latest IoT prototypes can pack a processor, flash memory, wireless transmitter, antenna, one or more sensors, batteries and more into an area the size of a grain of rice.

PUF is not a new idea for IoT security, but Yang and Li’s version of PUF is unique in terms of reliability, energy efficiency and the amount of area it would take to implement on a chip. For starters, Yang said the performance gains were measured in tests at military-grade temperatures ranging from 125 degrees Celsius to minus 55 degrees Celsius and when supply voltage dropped by up to 50 percent.

“If even one transistor behaves abnormally under varying environmental conditions, the device will produce the wrong key, and it will look like an inauthentic device,” Yang said. “For that reason, reliability, or stability, is the most important measure for PUF.”

Energy efficiency also is important for IoT, where devices can be expected to run for a decade on a single battery charge. In Yang and Li’s PUF, keys are created using a static voltage rather than by actively powering up the transistor. It’s counterintuitive that the static approach would be more energy efficient because it’s the equivalent of leaving the lights on 24/7 rather than flicking the switch to get a quick glance of the room.

“Normally, people have sleep mode activated, and when they want to create a key, they activate the transistor, switch it once and then put it to sleep again,” Yang said. “In our design, the PUF module is always on, but it takes very little power, even less than a conventional system in sleep mode.”

On-chip area — the amount of space and expense manufacturers would have to allocate to put the PUF device on a production chip — is the third metric where they outperform previously reported work. Their design occupied 2.37 square micrometers to generate one bit on prototypes produced using 65-nanometer complementary metal-oxide-semiconductor (CMOS) technology.

Learn more: Rice U. researchers unveil Internet of Things security feature

 

 

The Latest on: Physically unclonable function
  • physically unclonable function
    on December 24, 2019 at 4:00 pm

    Until a worthy standard for measuring the algorithmic strength of PUF circuits is introduced, the most effective method of ensuring system security is selecting the proper usage model for implementing ...

  • Anti-counterfeiting with carbon nanotubes
    on May 20, 2019 at 6:06 am

    While quantum computing slowly progresses towards the cryptographic paradigm, the so-called physically unclonable functions (PUFs) are presented as the choice to ensure unique and effective ...

  • Unclonable digital fingerprints developed for IoT devices
    on May 16, 2019 at 7:24 am

    Rice’s Kaiyuan Yang and Dai Li physically unclonable function (PUF) technology generates two unique fingerprints for each PUF. This zero-overhead method uses the same PUF components to make both keys ...

  • Biological physically unclonable function
    on April 26, 2019 at 2:09 am

    Hardware security overcomes such limitations through physically unclonable functions (PUFs) that exploit manufacturing process variations in the physical microstructures of Si integrated circuits to ...

  • Physically unclonable function developed for IoT security
    on March 27, 2019 at 11:32 am

    Technologists have developed a new type of Internet of Things security feature, described as a 'physically unclonable function'. This new security feature is said to be is ten times more reliable than ...

  • Physically Unclonable Functions
    on March 4, 2019 at 4:00 pm

    Physically unclonable functions (PUFs) are emerging as a novel way to protect a variety of ICs. In today’s world of cyber threats, vulnerabilities, insecure networks and hardware, and intrusions, it ...

  • Internet Of Things Security: Unclonable Digital Fingerprints
    on February 27, 2019 at 11:57 am

    The Rice physically unclonable function (PUF) technology uses a microchip’s physical imperfections to produce unique security keys that can be used to authenticate devices linked to the Internet of ...

  • ‘Unclonable’ digital fingerprints boost IoT device security
    on February 26, 2019 at 1:37 pm

    The physically unclonable function (PUF) technology uses a microchip’s physical imperfections to produce unique security keys that can authenticate devices linked to the Internet of Things.

  • Researchers unveil Internet of Things security feature
    on February 21, 2019 at 8:37 am

    Rice's Kaiyuan Yang and Dai Li will present their physically unclonable function (PUF) technology today at the 2019 International Solid-State Circuits Conference (ISSCC), a scientific conference known ...

  • Rice University researchers unveil Internet of Things security feature
    on February 20, 2019 at 11:11 am

    Rice's Kaiyuan Yang and Dai Li will present their physically unclonable function (PUF) technology today at the 2019 International Solid-State Circuits Conference (ISSCC), a prestigious scientific ...

via  Bing News

 

Fast and energy-saving encryption for the internet of things

MIT researchers have built a new chip, hardwired to perform public-key encryption, that consumes only 1/400 as much power as software execution of the same protocols would. It also uses about 1/10 as much memory and executes 500 times faster.

Special-purpose chip reduces power consumption of public-key encryption by 99.75 percent, increases speed 500-fold. Most sensitive web transactions are protected by public-key cryptography, a type of encryption that lets computers share information securely without first agreeing on a secret encryption key.

Public-key encryption protocols are complicated, and in computer networks, they’re executed by software. But that won’t work in the internet of things, an envisioned network that would connect many different sensors — embedded in vehicles, appliances, civil structures, manufacturing equipment, and even livestock tags — to online servers. Embedded sensors that need to maximize battery life can’t afford the energy and memory space that software execution of encryption protocols would require.

MIT researchers have built a new chip, hardwired to perform public-key encryption, that consumes only 1/400 as much power as software execution of the same protocols would. It also uses about 1/10 as much memory and executes 500 times faster. The researchers describe the chip in a paper they’re presenting this week at the International Solid-State Circuits Conference.

Like most modern public-key encryption systems, the researchers’ chip uses a technique called elliptic-curve encryption. As its name suggests, elliptic-curve encryption relies on a type of mathematical function called an elliptic curve. In the past, researchers — including the same MIT group that developed the new chip — have built chips hardwired to handle specific elliptic curves or families of curves. What sets the new chip apart is that it is designed to handle any elliptic curve.

“Cryptographers are coming up with curves with different properties, and they use different primes,” says Utsav Banerjee, an MIT graduate student in electrical engineering and computer science and first author on the paper. “There is a lot of debate regarding which curve is secure and which curve to use, and there are multiple governments with different standards coming up that talk about different curves. With this chip, we can support all of them, and hopefully, when new curves come along in the future, we can support them as well.”

Joining Banerjee on the paper are his thesis advisor, Anantha Chandrakasan, dean of MIT’s School of Engineering and the Vannevar Bush Professor of Electrical Engineering and Computer Science; Arvind, the Johnson Professor in Computer Science Engineering; and Andrew Wright and Chiraag Juvekar, both graduate students in electrical engineering and computer science.

Modular reasoning

To create their general-purpose elliptic-curve chip, the researchers decomposed the cryptographic computation into its constituent parts. Elliptic-curve cryptography relies on modular arithmetic, meaning that the values of the numbers that figure into the computation are assigned a limit. If the result of some calculation exceeds that limit, it’s divided by the limit, and only the remainder is preserved. The secrecy of the limit helps ensure cryptographic security.

One of the computations to which the MIT chip devotes a special-purpose circuit is thus modular multiplication. But because elliptic-curve cryptography deals with large numbers, the chip’s modular multiplier is massive. Typically, a modular multiplier might be able to handle numbers with 16 or maybe 32 binary digits, or bits. For larger computations, the results of discrete 16- or 32-bit multiplications would be integrated by additional logic circuits.

The MIT chip’s modular multiplier can handle 256-bit numbers, however. Eliminating the extra circuitry for integrating smaller computations both reduces the chip’s energy consumption and increases its speed.

Another key operation in elliptic-curve cryptography is called inversion. Inversion is the calculation of a number that, when multiplied by a given number, will yield a modular product of 1. In previous chips dedicated to elliptic-curve cryptography, inversions were performed by the same circuits that did the modular multiplications, saving chip space. But the MIT researchers instead equipped their chip with a special-purpose inverter circuit. This increases the chip’s surface area by 10 percent, but it cuts the power consumption in half.

The most common encryption protocol to use elliptic-curve cryptography is called the datagram transport layer security protocol, which governs not only the elliptic-curve computations themselves but also the formatting, transmission, and handling of the encrypted data. In fact, the entire protocol is hardwired into the MIT researchers’ chip, which dramatically reduces the amount of memory required for its execution.

The chip also features a general-purpose processor that can be used in conjunction with the dedicated circuitry to execute other elliptic-curve-based security protocols. But it can be powered down when not in use, so it doesn’t compromise the chip’s energy efficiency.

“They move a certain amount of functionality that used to be in software into hardware,” says Xiaolin Lu, director of the internet of things (IOT) lab at Texas Instruments. “That has advantages that include power and cost. But from an industrial IOT perspective, it’s also a more user-friendly implementation. For whoever writes the software, it’s much simpler.”

Learn more: Energy-efficient encryption for the internet of things

 

The Latest on: Elliptic-curve encryption

via  Bing News

 

 

Internet of Toys plays a major role in privacy and security

via RT America

Action is needed to monitor and control the emerging Internet of Toys, concludes a new JRC report. Privacy and security are highlighted as main areas of concern.

Large numbers of connected toys have been put on the market over the past few years, and the turnover is expected to reach €10 billion by 2020 – up from just €2.6 billion in 2015.

Connected toys come in many different forms, from smart watches to teddy bears that interact with their users. They are connected to the internet and together with other connected appliances they form the Internet of Things, which is bringing technology into our daily lives more than ever.

However, the toys’ ability to record, store and share information about their young users raises concerns about children’s safety, privacy and social development.

A team of JRC scientists and international experts looked at the safety, security, privacy and societal questions emerging from the rise of the Internet of Toys. The report invites policymakers, industry, parents and teachers to study connected toys more in depth in order to provide a framework which ensures that these toys are safe and beneficial for children.

Robotification of childhood

Robots are no longer only used in industry to carry out repetitive or potentially dangerous tasks. In the past years, robots have entered our everyday lives and also children are more and more likely to encounter robotic or artificial intelligence-enhanced toys.

We still know relatively little about the consequences of children’s interaction with robotic toys. However, it is conceivable that they represent both opportunities and risks for children’s cognitive, socio-emotional and moral-behavioural development.

For example, social robots may further the acquisition of foreign language skills by compensating for the lack of native speakers as language tutors or by removing the barriers and peer pressure encountered in class room. There is also evidence about the benefits of child-robot interaction for children with developmental problems, such as autism or learning difficulties, who may find human interaction difficult.

However, the internet-based personalization of children’s education via filtering algorithms may also increase the risk of ‘educational bubbles’ where children only receive information that fits their pre-existing knowledge and interest – similar to adult interaction on social media networks.

Safety and security considerations

The rapid rise in internet connected toys also raises concerns about children’s safety and privacy. In particular, the way that data gathered by connected toys is analysed, manipulated and stored is not transparent, which poses an emerging threat to children’s privacy.

The data provided by children while they play, i.e the sounds, images and movements recorded by connected toys is personal data protected by the EU data protection framework, as well as by the new General Data Protection Regulation (GDPR). However, information on how this data is stored, analysed and shared might be hidden in long privacy statements or policies and often go unnoticed by parents.

Whilst children’s right to privacy is the most immediate concern linked to connected toys, there is also a long term concern: growing up in a culture where the tracking, recording and analysing of children’s everyday choices becomes a normal part of life is also likely to shape children’s behaviour and development.

Usage framework to guide the use of connected toys

The report calls for industry and policymakers to create a connected toys usage framework to act as a guide for their design and use.

This would also help toymakers to meet the challenge of complying with the new European General Data Protection Regulation (GDPR) which comes into force in May 2018, which will increase citizens’ control over their personal data.

The report also calls for the connected toy industry and academic researchers to work together to produce better designed and safer products.

Advice for parents

The report concludes that it is paramount that we understand how children interact with connected toys and which risks and opportunities they entail for children’s development.

“These devices come with really interesting possibilities and the more we use them, the more we will learn about how to best manage them. Locking them up in a cupboard is not the way to go. We as adults have to understand how they work – and how they might ‘misbehave’ – so that we can provide the right tools and the right opportunities for our children to grow up happy in a secure digital world”, says Stéphane Chaudron, the report’s lead researcher at the Joint Research Centre (JRC).

The authors of the report encourage parents to get informed about the capabilities, functions, security measures and privacy settings of toys before buying them. They also urge parents to focus on the quality of play by observing their children, talking to them about their experiences and playing alongside and with their children.

Protecting and empowering children

Through the Alliance to better protect minors online and with the support of UNICEF, NGOs, Toy Industries Europe and other industry and stakeholder groups, European and global ICT and media companies are working to improve the protection and empowerment of children when using connected toys. This self-regulatory initiative is facilitated by the European Commission and aims to create a safer and more stimulating digital environment for children.

More information

JRC report “Kaleidoscope on the Internet of Toys: Safety, security, privacy and societal insights

Learn more: Connected dolls and tell-tale teddy bears: why we need to manage the Internet of Toys

 

 

 

The Latest on: Internet of Toys

via  Bing News

 

Typical office scanner can be used as a cyberattack tool via laser or smartbulb

via Duckduckgo

A typical office scanner can be infiltrated and a company’s network compromised using different light sources, according to a new paper by researchers from Ben-Gurion University of the Negev and the Weizmann Institute of Science.

“In this research, we demonstrated how to use a laser or smart bulb to establish a covert channel between an outside attacker and malware installed on a networked computer,” says lead author Ben Nassi, a graduate student in the BGU Department of Software and Information Systems Engineering as well as a researcher at the BGU Cyber Security Research Center (CSRC). “A scanner with the lid left open is sensitive to changes in the surrounding light and might be used as a back door into a company’s network.”

The researchers conducted several demonstrations to transmit a message into computers connected to a flatbed scanner. Using direct laser light sources up to a half-mile (900 meters) away, as well as on a drone outside their office building, the researchers successfully sent a message to trigger malware through the scanner.

In another demonstration, the researchers used a Galaxy 4 Smartphone to hijack a smart lightbulb (using radio signals) in the same room as the scanner. Using a program they wrote, they manipulated the smart bulb to emit pulsating light that delivered the triggering message in only seconds.

To mitigate this vulnerability, the researchers recommend organizations connect a scanner to the network through a proxy server — a computer that acts as an intermediary — which would prevent establishing a covert channel. This might be considered an extreme solution, however, since it also limits printing and faxing remotely on all-in-one devices.

“We believe this study will increase the awareness to this threat and result in secured protocols for scanning that will prevent an attacker from establishing such a covert channel through an external light source, smart bulb, TV, or other IoT (Internet of Things) device,” Nassi says.

Learn more: Scanners Can Be Hijacked to Perpetrate Cyberattacks

 

 

 

The Latest on: Cyberattack

via  Bing News

 

A New Era of Internet Attacks Powered by Everyday Devices

via IGIC

via IGIC

When surveillance cameras began popping up in the 1970s and ’80s, they were welcomed as a crime-fighting tool, then as a way to monitor traffic congestion, factory floors and even baby cribs. Later, they were adopted for darker purposes, as authoritarian governments like China’s used them to prevent challenges to power by keeping tabs on protesters and dissidents.

But now those cameras — and many other devices that today are connected to the internet — have been commandeered for an entirely different purpose: as a weapon of mass disruption. The internet slowdown that swept the East Coast on Friday, when many Americans were already jittery about the possibility that hackers could interfere with election systems, offered a glimpse of a new era of vulnerabilities confronting a highly connected society.

The attack on the infrastructure of the internet, which made it all but impossible at times to check Twitter feeds or headlines, was a remarkable reminder about how billions of ordinary web-connected devices — many of them highly insecure — can be turned to vicious purposes. And the threats will continue long after Election Day for a nation that increasingly keeps its data in the cloud and has oftentimes kept its head in the sand.

Remnants of the attack continued to slow some sites on Saturday, though the biggest troubles had abated. Still, to the tech community, Friday’s events were as inevitable as an earthquake along the San Andreas fault. A new kind of malicious software exploits a long-known vulnerability in those cameras and other cheap devices that are now joining up to what has become known as the internet of things.

The advantage of putting every device on the internet is obvious. It means your refrigerator can order you milk when you are running low, and the printer on your home network can tell a retailer that you need more ink. Security cameras can alert your cellphone when someone is walking up the driveway, whether it is a delivery worker or a burglar. When Google and the Detroit automakers get their driverless cars on the road, the internet of things will become your chauffeur.

But hundreds of thousands, and maybe millions, of those security cameras and other devices have been infected with a fairly simple program that guessed at their factory-set passwords — often “admin” or “12345” or even, yes, “password” — and, once inside, turned them into an army of simple robots. Each one was commanded, at a coordinated time, to bombard a small company in Manchester, N.H., called Dyn DNS with messages that overloaded its circuits.

Few have heard of Dyn, but it essentially acts as one of the internet’s giant switchboards. Bring it to a halt, and the problems spread instantly. It did not take long to reduce Twitter, Reddit and Airbnb — as well as the news feeds of The New York Times — to a crawl.

The culprit is unclear, and it may take days or weeks to detect it. In the end, though, the answer probably does not mean much anyway.

The vulnerability the country woke up to on Friday morning can be easily exploited by a nation-state such as Russia, which the Obama administration has blamed for hacking into the Democratic National Committee and the accounts of Hillary Clinton’s campaign officials. It could also be exploited by a criminal group, which was the focus of much of the guesswork about Friday’s attack, or even by teenagers. The opportunities for copycats are endless.

Learn more: A New Era of Internet Attacks Powered by Everyday Devices

You might want to also check out: Internet Security

 

The Latest on: Internet attacks

via  Bing News