In the ever-expanding world of IoT, AI, 5G, fintech and smart cars, competition is very important; however, security is becoming increasingly important as well. With more academical and business investments seeking effective and efficient security solutions, people are starting to realize that hardware security is imperative. That is why the Ministry of Science and Technology (MOST project) held the International Hardware Security Workshop in Taiwan on September 20th to boost the development of hardware security. Worldwide experts and scholars from eMemory, PUFsecurity, Microsoft, ARM, Lattice, the University of Tokyo, and the University of Florida were invited to the conference. This article will summarize the insights of hardware security from different point of view. Enjoy!
The Strengths of Hardware Security
Security incidents sometimes happen in a way we could have never imagined, such as hackers gaining access to a casino’s high roller database through a networked thermometer in a fish tank! No manufacturer wants to make insecure devices that can cause these accidents which means that security should be foundational to technological development, not as an afterthought. The value of hardware security is to enhance the security level from the fundamental system. Furthermore, it’s also important for every stage of the value chain from manufacturing, transit, installation, system operations, and finally, end of life. During the whole product life cycle, a secure system should be able to automatically detect, protect, and recover from supply chain attacks. In addition, these processes need a hardware root of trust as the anchor, which is also in line with NIST standards.
Generally, hardware security is perceived as more reliable and tamper-resistant than software security. Software-based security is insufficient for protecting systems from fraud, tampering, as well as other integrity and DDoS attacks, since it is more susceptible to design and implementation flaws and non-resistant to subversion by malicious code. In contrast, hardware security is hard to intercept, tamper with, or break which means better integrity assurance. Nevertheless, hardware security enables faster encryption since the processor is optimized for crypto algorithm execution, and the process is transparent and separate from the rest of the other processes in the host machine.
The Challenges of Hardware Security
There are some shortcomings in the current existing hardware-based security solutions, as they are costly and inflexible. According to Lattice Sr. Segment Marketing Manager Srirama Chandra, “flexibility” refers to two dimensions: 1) the ability of customization for various systems, and 2) the ability of updating systems securely and reliably.
With system updates or recovery, re-programmability is another issue, as noted by University of Florida Associate Professor Yier Jin and Microsoft Product Planner Luguy Ramon Ctchoupet Tatdia. For decades, hardware security is less discussed in business since software is more portable and flexible in both the company side and the consumer side. When you look at the industry, there are at least 9 billion MCU being shipped every year, and anything with a screen/button has a microcontroller embedded in it. The challenge is that the MCU designs haven’t changed since the 70’s but we’ve added connectivity to it.
However, considering the vulnerability of software security and the increasing number of cyberattack incidents, hardware security still holds value. Thus, solutions leveraging the advantages from both hardware and software security might be more helpful. The biggest problem that we need to resolve is to close the gap between software and hardware security components.We also need to consider how to make hardware security scalable for larger scale designs. As modern SoCs are designed to provide high flexibility for fulfilling multiple demands, it increases the need for comprehensive security considerations.
Key for Hardware Security Problems
PUF (Physical Unclonable Function) as one of the more well-known embedded hardware security examples, has advantages that help overcome the shortcomings mentioned above. It can be simply understood as a physically defined “fingerprint” that serves as the unique identity UID) a.k.a. the root of trust (RoT) for a semiconductor system. Take NeoPUF from eMemory and PUFsecurity as an impressive example, it simply utilizes the micro-variation born from the oxide-breakdown manufacturing process as UID or entropy seeds of tRNG, key generator, key storage, encryption as well as authentication functions. NIST tests have demonstrated that NeoPUF is very solid and insensitive to environmental influences so it doesn’t require any error correction codes (ECC). Since those PUF-based security functions are designed by standard digital logic process, it is not as costly as other hardware security solutions. In addition, it is possible to co-work with other algorithms or logic designs to meet the flexible demands as required. Nevertheless, IoT/AIoT/5G devices are light weight and usually require low power consumption. As a result, PUF is the ideal fit for IoT or home application devices to provide HRoT functions.
In addition to PUF, cryptography algorithms are another important component in hardware security. For shared-key system (i.e. AES, SM4), key management is essential but also challenging. Hence, public-key system such as RSA and ECC is more often used for digital signature. However, RSA needs a longer key than ECC, which makes the encryption process slower and requires a larger size requirement. If being lightweight is essential to far-end IoT devices and the nodes between edge and cloud, one might consider ECC as a better choice. “Because unlike RSA which requires a longer key, ECC uses a shorter key of 256-bit or 128-bit length” as University of Tokyo Professor Makoto Ikeda pointed out.
Suggestions for Hardware Security Development
To conclude, we would like to sum up suggestions for the future development of hardware security from all the experts in this workshop.
- Define a common hardware root of trust (RoT)
- Make it easy to use, light-weighted, cost-efficient, scalable, and renewable
- Set up comprehensive functions that include automatic protection, detection, reaction, recovery and reporting.
To achieve these goals, the world must need an ideal component of RoT, which makes PUF a good option. Also, collaboration is needed for leveraging the different advantages and strengths of both hardware and software security. This way, we can make bigger contributions together in this new era!