Date: Jan 15, 2009 Author: Keith Costa Source: MDA (
click here to go to the source)
by Keith Costa/techapps@nttc.edu
For years, manufacturers have turned to global outsourcing of semiconductor fabrication to lower their production costs. While this trend helps keep computer prices down, there has been growing concern about the security of far-flung supply chains for sophisticated integrated circuits used in industrial and military applications. Consumers worldwide are worried about opportunities available to criminals and spies to clone these semiconductors, or substitute them with malicious integrated circuits that can cause a vital telecommunications switch or a weapon system to malfunction.
To reassure their customers, manufacturers have been on the lookout for better ways of ensuring the authenticity of their products from factory floor to final destination. In the near future, these manufacturers may increasingly turn their attention to MDA-funded Verayo, Inc. (Palo Alto, CA), which has been developing what promises to be a breakthrough technology for satisfying the growing demand for trusted semiconductor supply-chain processes.
The company has begun marketing its own radio-frequency identification (RFID) chip that includes this technology, called Physical Unclonable Functions (PUF). This RFID chip can be attached to any product for tracking and authentication, whether in transit or sitting on a shelf, and may soon draw interest from pharmaceutical companies and makers of luxury goods.
Challenging chip identity
The company describes its technology as a kind of electronic fingerprinting for integrated circuits. Using PUF technology, a semiconductor can be verified at any point in the supply chain to confirm that it is exactly what the manufacturer advertises.
PUFs are low-power electrical circuits placed on individual silicon chips. They do not take up much space, and once installed they can extract secret information from the devices to authenticate them, or they can enable a host of security applications. Authentication is achieved by deriving what are called challenge-and-response pairs.
Using a computer, a technician can issue a challenge in the form of a binary number to the PUF circuit, which will generate a response. The challenge can be 64 bits (or longer when extra security is needed), and the response will be the same length. Given the way PUFs work, the response will be unique for every chip. A whole set of challenge-and-response pairs can be collected and stored on a database at a secure location. These stored response pairs then can be used one at a time at different points in a supply chain to authenticate the chip: If a challenge results in the wrong response, then something is wrong with the chip.
The process is similar to fingerprinting, in that fingerprints are collected from people, then they are used at a later date to verify their identities. For added security, a challenge-response pair can be thrown out after it is used just one time. For instance, if the challenge-response pair for a secure-access identification card is compromised, it will not matter, because a new pair will be in place by the time someone tried to use the ill-gained information.
The reason why PUFs generate unique challenge-response pairs for every chip has to do with semiconductor manufacturing processes. Even if two chips perform the same function and come from the same wafer, they will come out of the production line with variations at the subatomic level. PUFs exploit these variations to characterize the chip, converting analog differences into digital signals for challenges and responses.
The challenge-and-response capability makes PUF-enhanced chips virtually unclonable because the exact subatomic variations cannot be replicated. Even if someone clones a chip and tries to pass it on as the original, it will be easily identified as bogus when a challenge extracts the wrong response.
Tuning in to security
PUFs offer security and cost advantages over state-of-the-art technology (including other RFID methods) for authenticating integrated circuits. The most advanced techniques available today involve cryptography—essentially, storing on a chip a secret number, or key, that can be verified to identify the device. The problem is manufacturers are continuously at odds with hackers who keep finding ways to bypass ever more elaborate and expensive security features and compromise their chips.
For simple authentication, PUF technology is a far simpler and more effective solution than cryptography, especially for RFIDs, according to Vivek Khandelwal, Verayo's director of marketing. For this reason, Khandelwal and his colleagues believe the RFID market is ripe for their technology.
In 2008, Verayo unveiled its PUF-enhanced RFID chip, called the Vera X512H. The company decided to make its own chip to refine its technology and prove it works, hoping eventually to grab the attention of large RFID manufacturers. Verayo claims to be the first to marry a proprietary PUF to an RFID application.
The company's primary commercial goal is to draw interest from customers from the semiconductor world and beyond. Potential customers include pharmaceutical companies and makers of luxury goods whose reputations depend on trusted supply chains: PUF challenges and responses can verify that a product on the shelf is legitimate.
Verayo has been working on PUF technology since it opened its doors in 2005. At the time, the company was called PUFCO. It changed its name in spring 2008. The technology is patented by the Massachusetts Institute of Technology (MIT), which licensed it to Verayo. The man who pioneered PUF technology at MIT, Srinivas Devadas, founded the company along with Tom Ziola, a former senior director for mobile and embedded devices at Microsoft. Devadas is Verayo's chief technology officer. Ziola, Verayo's former president and CEO, remains an adviser to the company.
MDA became interested in Verayo because of concerns about outsourcing to overseas operations the fabrication of integrated circuits for defense systems. In particular, though, MDA wanted to know whether PUF circuits would be effective in radiation-laden environments. In 2007, MDA awarded Verayo—then PUFCO—a Phase II SBIR contract to test PUF-enhanced application-specific integrated-circuit (ASIC) devices in environments that require radiation-hardening. For MDA and other U.S. government customers, Verayo is further developing its PUF technology for applications that require cryptography, rather than the simpler kind of authentication capability built into the company's RFID chip.
Tightening transactions
Just like its PUF-RFID chip, PUF-enabled chips for cryptographic applications will not store keys in the silicon, which can be hacked. Rather, keys will be generated dynamically by issuing challenges and responses; each challenge can be used as a key for a cryptographic operation. Verayo has been working on error-correction technology that will account for the way radiation can slightly alter the response from a PUF circuit after receiving a challenge.
Verayo envisions a large commercial market for PUF-enhanced chips with cryptographic capability. For example, these chips could facilitate secure transactions with smart cards, credit cards, and near-field communication, which allows people to buy goods with a mobile phone. Near-field communication is catching on faster in Europe and Japan than the United States, but the problem is the phones employ stored keys, which can be compromised. Verayo officials believe PUF technology with key-generating capabilities would be more secure and could help pave the way for near-field communications in the U.S. market.
