Author: Rafał Kochanowski, 3mdeb
In the contemporary digital realm, the principle of multi-factor authentication (MFA) has become a cornerstone, especially in sectors like banking. Traditionally, authentication is the act of proving an assertion, such as the identity of a computer system user. While identification merely indicates a person or thing's identity, authentication delves deeper, verifying that claimed identity.
MFA often requires human interaction, which is a combination of knowledge and possession or inherence factors (like password, one-time code via SMS, real-time generated authentication code through specialized apps using algorithms like TOTP, etc.). They necessitate an auxiliary application and its supporting operating system. However, the potential of MFA extends beyond software. It has profound implications in the hardware domain. Particularly in the realm of IoT, where devices might operate on limited resources (often referred to as "bare metal devices"), there's an opportunity to establish mutual authentication between devices autonomously, without human intervention or a traditional operating system.
In the CROSSCON project, 3mdeb with partners is pleased to improve the IoT ecosystem by simplifying integration of device-to-device MFA. The rapid proliferation of IoT devices has led to a surge in security vulnerabilities, emphasizing the need for robust authentication mechanisms [1]. Traditional authentication methods often fall short in the dynamic and diverse landscape of IoT [2], thus, by introducing advanced authentication techniques, we aim to bolster the security posture of these devices, ushering in a new era of digital trust [3].
"Our solution will address the security challenges posed by the IoT ecosystem, where devices interact and communicate extensively"
As IoT devices proliferate, ensuring only authorized devices can access networks and resources becomes crucial. However, traditional cryptographic methods might not be viable due to the limited computational capabilities of many IoT devices.
The concept of Physically Unclonable Functions (PUFs) is introduced as a potential solution for device authentication. PUFs are unique features of semiconductor devices that are inherently random and cannot be cloned, even by the manufacturer. These features arise from random physical factors introduced during manufacturing, such as variations in gate length, oxide thickness, and dopant concentration. Due to their inherent randomness and unclonability, PUFs can serve as a reliable and secure method for generating cryptographic keys for device authentication.
In the context of device-to-device MFA, PUFs offer a significant advantage, especially for constrained devices that lack robust computational power. Since PUFs rely on the inherent characteristics of the device, they eliminate the need for storing cryptographic keys, making the authentication process lightweight and efficient. However, like all technologies, PUF-based authentication is not without challenges. While PUFs are resistant to cloning, they can be vulnerable to certain types of attacks, such as side-channel attacks or modeling attacks. It's essential to understand that no security solution is entirely foolproof. The idea is to layer multiple security measures to create a robust defense mechanism. By combining PUFs with other authentication methods, we aim to mitigate their vulnerabilities and provide a more comprehensive security solution.
Building upon established authentication methods and leveraging the insights of predecessors, we aim to integrate multiple authentication factors to more effectively counteract Man-in-the-Middle (MITM) attacks. While many traditional authentication methods are already in place, our approach seeks to adapt and combine best practices to create a more flexible and modern solution.
Within the scope of the CROSSCON project, we've delved deep into the architectural aspects of our proposed solution, taking into account various communication topologies and potential attack vectors. A significant part of our work has been the development of a comprehensive threat model. This model provides a clear outline of the types of attacks we're aiming to mitigate with our solution, including brute-force attacks, replay attacks, physical attacks, eavesdropping, and machine learning attacks.
In conclusion, CROSSCON seeks to redefine security within the realm of IoT through a comprehensive multi-factor authentication solution. By addressing the challenges posed by constrained devices and leveraging the concept of PUFs, our project aspires to establish a secure environment where IoT devices can authenticate each other autonomously and reliably. Through a meticulous analysis of various scenarios, attack vectors, and use cases, our project lays the foundation for a future where interconnected devices can communicate with trust and confidence.
At 3mdeb, we've always been committed to the ethos of open-source, believing in the power of transparency, collaboration, and community-driven innovation. Our team brings to the table a rich experience in open-source software, firmware, and hardware, seamlessly integrating these elements into larger applications. We possess a deep understanding of trusted computing technologies, encompassing areas such as Root of Trust and attestation. It's this unique blend of knowledge and dedication that has positioned us as a valuable contributor in the realm of security. We are genuinely honored that our consistent efforts in championing open solutions and ensuring comprehensive security have been acknowledged, leading to our invitation to be a part of the CROSSCON project.