Security at the Hardware Level: No Longer Optional — It’s Required
While emerging technologies like the Internet of Things (IoT) and machine-to-machine (M2M) communications are heralding in exciting new products, they’re equally raising security concerns as the points of access to a system continue to grow, and devices fail to comply to basic security best practices, such as demanding strong passwords, using encrypted data transmissions, and restricting access of user information. A study released by HP last week confirmed that 70% of commonly used IoT devices are vulnerable to security attacks because they fail to adopt these simple practices. This is creating a more prescient need for robust security systems implemented at the hardware level, something that domains such as finance, medical, and military that have to secure sensitive information already know. While anti-virus, anti-theft, or virtualization techniques can help keep a system secure, there are an increased number of continuous attacks on Root-of-Trust (RoT), functions that systems automatically trust, making hardware-based security a mandatory choice.
Implementing RoT in hardware is more reliable than software because it offers a smaller attack surface. It’s much more difficult to tamper with the data if security is implemented at the hardware stack because of the limited access to the hardware system. Hardware RoT, consists of memory and executable instructions in a secure area on your main chip, isolated from the main device’s operating system. This hardware separation protects data running in the hardware RoT from malicious attacks because of inherently controlled access.
Here are some commonly used hardware security primitives you should be aware of:
1. Physical Unclonable Functions (PUF)
Storing confidential digital information safely in memory (such as battery-backed RAM, non-volatile memory, or flash) is difficult as well as unreliable when high levels of security are needed for applications like RFID access cards or smart cards. Physical Unclonable Functions (PUF) are of great help here, as they generate trusted data only when required (when the chip is powered on) on the basis of physical characteristics of the IC, such as random delay of wires and transistors. They are easy to make and embed in a physical system while nearly impossible to duplicate or predict even by same IC manufacturer
The success of even a highly complex cryptographic algorithm lies in the generation of truly unpredictable and random keys. Even the designer of a true random number generator (TRNG) should not be able to make an estimate on the output value. TRNG is better than Pesudorandom generator (PRNG) as PRNG uses a deterministic process from the initial seed, a defined set of functions performed on a random number called seed to generate random output, while TRNG uses a non-deterministic value like thermal (resistance or shot) noise or atmospheric noise to generate completely random output.
3. Trusted Platform Modules (TPM)
Trusted Platform Modules are microcontroller-based low cost, small footprint, tamper resistant security modules for trusted computing platforms. It is a Root-of-Trust which stores sensitive data and performs security tasks in a protected space. Major cryptographic features supported in TPMs are random number generation, asymmetric encryption/decryption, RSA, SHA-1 (Hash algorithm) and Keyed-Hash Message Authentication Code (HMAC). BitLocker by Microsoft, used to encrypt documents and password, is an example of TPM.