An embedded key management system for PUF-based security enclosures

Johannes Obermaier; Florian Hauschild; Matthias Hiller; Georg Sigl

doi:10.1109/MECO.2018.8406028

An embedded key management system for PUF-based security enclosures

Johannes Obermaier
, Florian Hauschild
, Matthias Hiller
, Georg Sigl

Chair of Security in Information Technology

Fraunhofer AISEC

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

10 Scopus citations

Abstract

Hardware Security Modules (HSMs) are embedded systems which provide a physically secured environment for data storage and handling. The device is protected by an enclosure against adversaries. A supervisor circuit monitors the enclosure's integrity and deletes all Critical Security Parameters (CSPs), such as keys, upon a tamper event. While current solutions store CSPs in battery-backed memory, our novel batteryless solution exploits the Physical Unclonable Function (PUF) of the enclosure to derive a key encryption key (KEK). However, such a PUF-based solution requires a more complex Embedded Key Management System (EKMS) for integrity verification, PUF usage, and key management. In this paper, we address this issue by discussing an adversary model, deriving design requirements, and presenting a hardened firmware architecture for PUF-based security enclosures. We present the complementing security extensions for FreeRTOS that enhance the operating system's security. To verify the concept's feasibility, we implement the proposed system and evaluate its performance. Our results show that this security architecture for an EKMS can serve as a firmware basis for novel PUF-based HSMs.

Original language	English
Title of host publication	2018 7th Mediterranean Conference on Embedded Computing, MECO 2018 - Including ECYPS 2018, Proceedings
Editors	Lech Jozwiak, Budimir Lutovac, Drazen Jurisic, Radovan Stojanovic
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	1-6
Number of pages	6
ISBN (Electronic)	9781538656822
DOIs	https://doi.org/10.1109/MECO.2018.8406028
State	Published - 6 Jul 2018
Event	7th Mediterranean Conference on Embedded Computing, MECO 2018 - Budva, Montenegro Duration: 10 Jun 2018 → 14 Jun 2018

Publication series

Name	2018 7th Mediterranean Conference on Embedded Computing, MECO 2018 - Including ECYPS 2018, Proceedings

Conference

Conference	7th Mediterranean Conference on Embedded Computing, MECO 2018
Country/Territory	Montenegro
City	Budva
Period	10/06/18 → 14/06/18

Keywords

Embedded System
FIPS140-2
Firmware Architecture
HSM
Key Management
PUF
RTOS
Security Enclosure

Access to Document

10.1109/MECO.2018.8406028

Cite this

Obermaier, J., Hauschild, F., Hiller, M., & Sigl, G. (2018). An embedded key management system for PUF-based security enclosures. In L. Jozwiak, B. Lutovac, D. Jurisic, & R. Stojanovic (Eds.), 2018 7th Mediterranean Conference on Embedded Computing, MECO 2018 - Including ECYPS 2018, Proceedings (pp. 1-6). (2018 7th Mediterranean Conference on Embedded Computing, MECO 2018 - Including ECYPS 2018, Proceedings). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/MECO.2018.8406028

Obermaier, Johannes ; Hauschild, Florian ; Hiller, Matthias et al. / An embedded key management system for PUF-based security enclosures. 2018 7th Mediterranean Conference on Embedded Computing, MECO 2018 - Including ECYPS 2018, Proceedings. editor / Lech Jozwiak ; Budimir Lutovac ; Drazen Jurisic ; Radovan Stojanovic. Institute of Electrical and Electronics Engineers Inc., 2018. pp. 1-6 (2018 7th Mediterranean Conference on Embedded Computing, MECO 2018 - Including ECYPS 2018, Proceedings).

@inproceedings{01917ffcc4e1433ca754a380d3947c3a,

title = "An embedded key management system for PUF-based security enclosures",

abstract = "Hardware Security Modules (HSMs) are embedded systems which provide a physically secured environment for data storage and handling. The device is protected by an enclosure against adversaries. A supervisor circuit monitors the enclosure's integrity and deletes all Critical Security Parameters (CSPs), such as keys, upon a tamper event. While current solutions store CSPs in battery-backed memory, our novel batteryless solution exploits the Physical Unclonable Function (PUF) of the enclosure to derive a key encryption key (KEK). However, such a PUF-based solution requires a more complex Embedded Key Management System (EKMS) for integrity verification, PUF usage, and key management. In this paper, we address this issue by discussing an adversary model, deriving design requirements, and presenting a hardened firmware architecture for PUF-based security enclosures. We present the complementing security extensions for FreeRTOS that enhance the operating system's security. To verify the concept's feasibility, we implement the proposed system and evaluate its performance. Our results show that this security architecture for an EKMS can serve as a firmware basis for novel PUF-based HSMs.",

keywords = "Embedded System, FIPS140-2, Firmware Architecture, HSM, Key Management, PUF, RTOS, Security Enclosure",

author = "Johannes Obermaier and Florian Hauschild and Matthias Hiller and Georg Sigl",

note = "Publisher Copyright: {\textcopyright} 2018 IEEE.; 7th Mediterranean Conference on Embedded Computing, MECO 2018 ; Conference date: 10-06-2018 Through 14-06-2018",

year = "2018",

month = jul,

day = "6",

doi = "10.1109/MECO.2018.8406028",

language = "English",

series = "2018 7th Mediterranean Conference on Embedded Computing, MECO 2018 - Including ECYPS 2018, Proceedings",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "1--6",

editor = "Lech Jozwiak and Budimir Lutovac and Drazen Jurisic and Radovan Stojanovic",

booktitle = "2018 7th Mediterranean Conference on Embedded Computing, MECO 2018 - Including ECYPS 2018, Proceedings",

}

Obermaier, J, Hauschild, F, Hiller, M & Sigl, G 2018, An embedded key management system for PUF-based security enclosures. in L Jozwiak, B Lutovac, D Jurisic & R Stojanovic (eds), 2018 7th Mediterranean Conference on Embedded Computing, MECO 2018 - Including ECYPS 2018, Proceedings. 2018 7th Mediterranean Conference on Embedded Computing, MECO 2018 - Including ECYPS 2018, Proceedings, Institute of Electrical and Electronics Engineers Inc., pp. 1-6, 7th Mediterranean Conference on Embedded Computing, MECO 2018, Budva, Montenegro, 10/06/18. https://doi.org/10.1109/MECO.2018.8406028

An embedded key management system for PUF-based security enclosures. / Obermaier, Johannes; Hauschild, Florian; Hiller, Matthias et al.
2018 7th Mediterranean Conference on Embedded Computing, MECO 2018 - Including ECYPS 2018, Proceedings. ed. / Lech Jozwiak; Budimir Lutovac; Drazen Jurisic; Radovan Stojanovic. Institute of Electrical and Electronics Engineers Inc., 2018. p. 1-6 (2018 7th Mediterranean Conference on Embedded Computing, MECO 2018 - Including ECYPS 2018, Proceedings).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - An embedded key management system for PUF-based security enclosures

AU - Obermaier, Johannes

AU - Hauschild, Florian

AU - Hiller, Matthias

AU - Sigl, Georg

PY - 2018/7/6

Y1 - 2018/7/6

N2 - Hardware Security Modules (HSMs) are embedded systems which provide a physically secured environment for data storage and handling. The device is protected by an enclosure against adversaries. A supervisor circuit monitors the enclosure's integrity and deletes all Critical Security Parameters (CSPs), such as keys, upon a tamper event. While current solutions store CSPs in battery-backed memory, our novel batteryless solution exploits the Physical Unclonable Function (PUF) of the enclosure to derive a key encryption key (KEK). However, such a PUF-based solution requires a more complex Embedded Key Management System (EKMS) for integrity verification, PUF usage, and key management. In this paper, we address this issue by discussing an adversary model, deriving design requirements, and presenting a hardened firmware architecture for PUF-based security enclosures. We present the complementing security extensions for FreeRTOS that enhance the operating system's security. To verify the concept's feasibility, we implement the proposed system and evaluate its performance. Our results show that this security architecture for an EKMS can serve as a firmware basis for novel PUF-based HSMs.

AB - Hardware Security Modules (HSMs) are embedded systems which provide a physically secured environment for data storage and handling. The device is protected by an enclosure against adversaries. A supervisor circuit monitors the enclosure's integrity and deletes all Critical Security Parameters (CSPs), such as keys, upon a tamper event. While current solutions store CSPs in battery-backed memory, our novel batteryless solution exploits the Physical Unclonable Function (PUF) of the enclosure to derive a key encryption key (KEK). However, such a PUF-based solution requires a more complex Embedded Key Management System (EKMS) for integrity verification, PUF usage, and key management. In this paper, we address this issue by discussing an adversary model, deriving design requirements, and presenting a hardened firmware architecture for PUF-based security enclosures. We present the complementing security extensions for FreeRTOS that enhance the operating system's security. To verify the concept's feasibility, we implement the proposed system and evaluate its performance. Our results show that this security architecture for an EKMS can serve as a firmware basis for novel PUF-based HSMs.

KW - Embedded System

KW - FIPS140-2

KW - Firmware Architecture

KW - HSM

KW - Key Management

KW - PUF

KW - RTOS

KW - Security Enclosure

UR - https://www.scopus.com/pages/publications/85050661080

U2 - 10.1109/MECO.2018.8406028

DO - 10.1109/MECO.2018.8406028

M3 - Conference contribution

AN - SCOPUS:85050661080

T3 - 2018 7th Mediterranean Conference on Embedded Computing, MECO 2018 - Including ECYPS 2018, Proceedings

SP - 1

EP - 6

BT - 2018 7th Mediterranean Conference on Embedded Computing, MECO 2018 - Including ECYPS 2018, Proceedings

A2 - Jozwiak, Lech

A2 - Lutovac, Budimir

A2 - Jurisic, Drazen

A2 - Stojanovic, Radovan

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 7th Mediterranean Conference on Embedded Computing, MECO 2018

Y2 - 10 June 2018 through 14 June 2018

ER -

Obermaier J, Hauschild F, Hiller M, Sigl G. An embedded key management system for PUF-based security enclosures. In Jozwiak L, Lutovac B, Jurisic D, Stojanovic R, editors, 2018 7th Mediterranean Conference on Embedded Computing, MECO 2018 - Including ECYPS 2018, Proceedings. Institute of Electrical and Electronics Engineers Inc. 2018. p. 1-6. (2018 7th Mediterranean Conference on Embedded Computing, MECO 2018 - Including ECYPS 2018, Proceedings). doi: 10.1109/MECO.2018.8406028

An embedded key management system for PUF-based security enclosures

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this