Cyber-physical systems are ubiquitous and are often located in non-trustworthy environments, in which data is processed that is both sensitive and worth protecting. Despite employed protection, measures such as secured communication an extraction of data and/or manipulation of it are often easily feasible if physical access to the components of the system is given. Or with the words of Brian Gladman: “It is relatively easy to build an encryption system that is secure if it is working as intended and is used correctly but it is still very hard to build a system that does not compromise its security in situations in which it is either misused or one or more of its sub-components fails (or is ’encouraged’ to misbehave) ... this is now the only area where the closed world is still a long way ahead of the open world and the many failures we see in commercial cryptographic systems provide some evidence for this.”
In this talk, we revisit a quite novel technology called Enclosure-PUF, which allows verifying the authenticity, integrity and/or the physical state of an item by employing the propagation behaviour of electromagnetic waves inside the object. In particular, it enables to check for any tamper attempts for larger structures, such as off-the-shelf computers and their periphery. Enclosure-PUF extends or complements existing tamper proof approaches from the chip/PCB to a system level. The technology is aiming to verify the integrity of such systems in order to detect attempts of an attack and activate appropriate countermeasures. The propagation behaviour of electromagnetic waves allows for an extension of the protection from individual small components to the entire periphery of a system (or even object). This allows detecting attacks, like spudding/drilling into cash terminals. By deriving cryptographic key material based on physical disorder and unclonable complexity of an environment, it is possible to create a protection, which secures information without an attack-detection or data-deletion circuit.
Furthermore, we will present evaluation results of more complex systems, such as ATMs. Such machines involve internal moving parts, such as fans and HDDs, as well as harsh environments. Giving such a real-world example, we will show the limits of the Enclosure-PUF technology and how we handle the circumstance with machine learning.
The Enclosure-PUF approach was introduced publicly at the 35c3 as well as within the IT security competition 2018 (1st prize) organized by the HGI.
Christian is working as a postdoctoral researcher as well as a lecturer in the field of Physical-Layer Security at Ruhr University Bochum. He also co-founded PHYSEC a Spin-off specialized on IoT-security solutions. Having (co)authored several journal and conference papers. His current research focuses on the question of how physical statements can be proven over digital communication channels. To tackle this question, he applies measures of electromagnetic wave emanation effects in combination with cryptographic protocols, such as, Enclosure-PUF and VPoR. Dr. Zenger is recognized as Innovator under 35 (2018), which is one of the most prestigious recognition worldwide from MIT Technology Review.
Lars Steinschulte started studying IT-Security B. Sc. at Ruhr-University Bochum in winter term 2016/17. He began working as Teaching Assistant at the Chair for Embedded Security in Fall 2018. At the same time he started his job as Security Research Assistant at PHYSEC GmbH.