1. How To Secure Devices in Supply Chain
Management ?
Dr. Kiran Manjappa
Assistant Professor, Dept. of IT, NITK
2. IoT
● IoT Network has improved the quality of our life.
○ Industry 4.0
● 2025 - 75 Billion IoT Devices will be connected to the world wide network [1]
○ Supply-Chain, Healthcare, Location Information, Tracking Devices,
○ Smart City Networks
● Security Threats are also growing parallelly.
● At one side, IoT network provide security to us, On the other side, IoT network itself needs security.
○ IoT network needs security to provide security to us.
● 2019 - 2.9 Billion Attacks [1]
○ Increased by threefold when compared to 2018 statistics.
2
3. Security Breaches - Real World Examples
● Ransomware - WannaCry - 2017
○ Took advantage of anonymity in Bitcoin
● Petya - Exploited the third party software present.
○ Ukraine.
● The Dyn Cyber Attack - DNS
3
6. Conventional Security in IoT - Problems
● IoT Devices are resource Constrained Devices
○ Usually low cost designs.
● The conventional Security Techniques requires higher resources
○ Not Suitable for IoT Devices
● Hence, other security techniques for IoT are being explored.
6
7. Hardware Security
● Hardware (or Device) - Threats
○ Cloning, Hijacking
○ Gray Market
○ Recycled ICs, Duplicate Devices, Hardware Trojans, Counterfeits, Pirated Products, Copy Cats….
○ Gradually Increasing - A Threat for IoT Devices
○ IoT Devices - Easily Targetable.
○ Industry as well as academia going hand in hand to stem the tide.
○ Counterfeit of an IoT Device can happen during any stage of its life cycle.
■ Manufacturing
■ While In the Field.
■ Supply Chain - Most common
Image Source: PUF (part 1) - YouTube
7
9. Hardware Authentication
Image Source: PUF (part 1) - YouTube
● Storing Keys in the Device Itself.
● There should be a Memory in each device specifically for storing
Keys.
● Additional Hardware in the Device - EEPROM or Flash Memory
● Expensive
9
10. Hardware Authentication
Image Source: PUF (part 1) - YouTube
Server
Internet
● Entire Device can be Cloned.
● Keys can be compromised.
● What is the other option ?
10
11. Physically Unclonable Function (PUF)
● Hardware Security
○ Very Important
○ If Hardware itself is compromised, all the applications sitting above it will be vulnerable.
● Each hardware has its own unique characteristics
○ Ex. Startup Values of the Memory
● These characteristics will be exploited to implement PUF
● It is a hardware Root of Trust, Digital Fingerprint, Hardware ID etc.
● Uniquely Identifies a Device
● Lightweight, Cost Efficient protocols.
● No Additional Hardware or softwares (resource hungry) involved
○ All we need is a single comparison.
11
12. PUFs
● PUF is a function Which Works on Challenge - Response Pairs (CRPs)
● CRPs - The inherent characteristics of the devices for the particular events.
○ Stored in the Server.
● In future, if the same hardware device is exposed to the same event, it should produce the same
result.
○ A challenge is given to PUF in the hardware - response is read from the PUF
○ The Received Response is then compared with the CRP pairs stored in the server.
12
13. PUF and CRPs
13
During Manufacturing
Challenge
Reponse
1 C1 R1
2 C2 R2
3 C3 R3
CRP Table
Trusted Third Party
16. More about CRPs
● Who will Give these CRPs ?
○ Manufacturers have to give these CRPs
● How they will get these CRPs ?
○ Different Methods
○ One of the method is exposing the device to different voltages and finding the response
■ P voltage - Response from the Device
■ Q Voltage - Response from the Device
■ X Parameter - Y Responses
● These Responses will be stored securely for future use.
16
17. -- -- --
-- -- --
-- -- -
CRPs
Response is Compared
● These CRP Table will not be stored in Device.
● It will be stored in the Trusted Neutral Place.
● Nothing is stored in the device except a function !!
● PUF receives the Challenge, Executes it on the hardware gets the result and
passes the result to the Calling function
17
22. SRAM PUF - Memory Based PUF
● Each and every IoT device has a memory
● Easy to implement - No additional hardware
○ Practical and Cost Effective
○ Robust to Voltage and Temperature Fluctuation
● Memory based PUF
○ SRAM
○ SRAM Failure PUF
○ DRAM
○ DRAM Access Latency PUFs
○ Row Hammer PUFs
22
23. PUF Types - Based on Robustness
● Two Types
○ Weak PUF and Strong PUF
Sl.
No
Weak PUF Strong PUF
1 Smaller Number of CRPs More CRPs
2 Vulnerable for the Attack
Attacker can guess CRPs
Invulnerable to the Attack
Difficult to Guess
3 Assumption: Human Presence Assumption: May be Random Places
4 SRAM (MBs) DRAM (GBs)
23
24. -- -- --
-- -- --
CRPs
Weak PUF
● PUF can be reused
● Man in the Middle Attack
Image Source: 17,365 Detective cartoon Vector Images, Detective cartoon Illustrations | Depositphotos
24
28. Supply Chain
● Globalization - The International Market - More Geographical Area - More space for the attackers.
● May Cost Reputation of the legitimate suppliers, a Financial Loss.
● Tracking and Tracing is introduced in the supply chain.
○ Tracking - Current Possession of the product
○ Tracing - Transaction Transparency of the product’s life time.
● The cutting Edge Technologies like 5G and Blockchain Technology have eased the Supply Chain
Process.
28
31. -- -- --
-- -- --
-- -- -
CRPs
CRP Tables
● Centralized Database
● Trusted Third Party
● Cloud
● Encrypted or Plain Text
Disadvantages
● SPF and SPA
● Compromised Trusted Third Party
● 75 Billion Devices !!! 75 Billion CRPs
○ How to manage ?
31
32. PUF + Blockchain Technology
● Recent Research
● Blockchain - Distributed Storage
○ No SPA, SPF
● Blockchain is used to store CRPs
● Safe and Immutable
● Access Control - Registered Users
32
33. Blockchain + PUF
● All the CRPs are stored in the Blockchain
○ Recall, Blockchain is immutable and secured
○ The unregistered user does not have access to PUF
33
34. Ownership Transfer (OT)
● One of the use case of PUF
● Before the actual device reaches the buyer, the OT process is completed.
● This may lead to inappropriate OT because of the following circumstances:,
○ Buyer can blame that the seller/owner has sent the wrong product/device.
○ A seller can send accidentally or purposefully Cloned/Recycled IC’s/devices to the buyer.
○ There could be delayed/wrong/failed Logistics or Supply chain events.
○ There can be unfaithful events in the supply chain.
34
35. PUF in SCM
● PUF - Identifies the integrity of each one of the individual components and IoT Devices
● Once the seller has sent the product to the buyer, buyer runs the PUF
● The OT is completed only after PUF function returns a matching CRP
● Otherwise, OT will stands cancelled.
● In Supply Chain every stage involves OT.
○ PUF can guarantee genuinity and integrity of the devices at every step.
35
37. Smart Contracts
Smart Contract:
1. Manufacturer registers to the blockchain Register_Manufacturer smart contract
2. Each Manufacturer registers each generated component in the blockchain. Register_Component
Smart Contract
3. Different buyers buy the component from the manufacturers. OT Smart Contract
4. When the components are assembled into an IoT Device, a unique ID will be generated based on all
the component’s unique IDs which the IoT device consists of. Register_IoTDevice Smart Contract
5. At any point of time, the registered users can query the blockchain using Query_Component smart
contract
a. Returns the list of previous owners.
37
38. References
1. Alireza Shamsoshoara, Ashwija Korenda, Fatemeh Afghah, Sherali Zeadally, “A survey on physical unclonable function (PUF)-based
security solutions for Internet of Things” Computer Networks, Volume 183, 2020, 107593, ISSN 1389-1286,
https://doi.org/10.1016/j.comnet.2020.107593.
2. V. Hassija, V. Chamola, V. Gupta, S. Jain and N. Guizani, "A Survey on Supply Chain Security: Application Areas, Security Threats,
and Solution Architectures," in IEEE Internet of Things Journal, vol. 8, no. 8, pp. 6222-6246, 15 April15, 2021, doi:
10.1109/JIOT.2020.3025775.
3. Md Nazmul Islam and Sandip Kundu. 2019. Enabling IC Traceability via Blockchain Pegged to Embedded PUF. ACM Trans. Des.
Autom. Electron. Syst. 24, 3, Article 36 (June 2019), 23 pages. DOI:https://doi.org/10.1145/3315669
4. Basics of SRAM PUF and how to deploy it for IoT security - Embedded.com
38