WO2013025060A2 - 사물지능통신에서 puf에 기반한 장치간 보안 인증 장치 및 방법 - Google Patents
사물지능통신에서 puf에 기반한 장치간 보안 인증 장치 및 방법 Download PDFInfo
- Publication number
- WO2013025060A2 WO2013025060A2 PCT/KR2012/006518 KR2012006518W WO2013025060A2 WO 2013025060 A2 WO2013025060 A2 WO 2013025060A2 KR 2012006518 W KR2012006518 W KR 2012006518W WO 2013025060 A2 WO2013025060 A2 WO 2013025060A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- terminal device
- key
- authentication
- public key
- security authentication
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/73—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
-
- G—PHYSICS
- G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
- G09C—CIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
- G09C1/00—Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3278—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response using physically unclonable functions [PUF]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2103—Challenge-response
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/70—Services for machine-to-machine communication [M2M] or machine type communication [MTC]
Definitions
- M2M machine-to-machine
- M2M is equipped with sensors that allow embedded systems or computers to collect surrounding information and communication equipment that delivers information. It is a technology to control.
- RFID radio frequency identification
- NFC near field communication
- ZigBee ZigBee
- Bluetooth the cost of systems or equipment for implementing IoT communication is decreasing.
- the mobile phone service which is the center of the existing telecommunications market, is approaching the limit of market growth due to the saturation of subscribers, and the IoT industry is emerging as a new future market.
- an unlawful security threat is a major obstacle to the IoT communication technology.
- Two-factor authentication can be used for general security authentication.
- Two-factor authentication performs both Knowledge-based and Possession-based authentication. In other words, to improve safety by performing two different types of authentication.
- Knowledge-based authentication refers to an authentication system based on a password or a personal identity number (PIN).
- Ownership-based authentication refers to authentication by owning a tangible / intangible object to prove itself, such as a social security card.
- password authentication which is a knowledge-based authentication method
- passwords which are knowledge-based authentication
- ownership-based authentication such as a public certificate, a security card, or a one-time password
- ownership-based authentication can be omitted if necessary, but in most cases knowledge-based authentication is essential.
- the device in order to perform knowledge-based authentication on the device itself, the device should be able to generate a password on its own. Traditionally, it was difficult to generate a password for the device itself.
- IoT communication devices are small portable devices, and there is a risk that the device itself may be physically seized by being exposed outdoors in a use environment.
- PUF Planar Function
- a security authentication device and method that is robust against physical attack or unauthorized access to the security authentication system of the device are provided.
- a terminal device for performing IoT communication comprising: a PUF embedded in the terminal device and generating an authentication key for password authentication associated with the terminal device; And an authentication unit configured to perform password authentication associated with the terminal device by using the authentication key generated by the PUF.
- the PUF is physically isolated from the outside of the secure authentication terminal device so that the authentication key does not leak outside of the secure authentication terminal device.
- a terminal device for IoT communication comprising: a secret key module for providing a secret key for transmitting a public key for communicating in a public key encryption method using a secret key encryption method; And a module for providing a private key for generating the public key, wherein at least one of the secret key module and the private key module includes a PUF.
- the security authentication terminal device may further include a fuse that is blocked by the application of overcurrent to block a path from which the secret key is extracted.
- the fuse may block the path after the secret key is first extracted from the terminal device.
- the security authentication terminal device Serial number storage unit for storing the serial number of the terminal device; And a fuse unit which blocks the path from which the secret key is extracted after the serial number is stored in the serial number storage unit and the secret key is extracted.
- the security authentication terminal device may further include a public key generation unit for generating the public key using the private key.
- the security authentication terminal device may store the public key of the external device for the external device to communicate in the public key encryption method. In this case, when the security authentication terminal device receives a message from the external device, the security authentication terminal device may decrypt the message using the public key of the external device.
- the security authentication terminal device may verify the validity of the external device according to whether or not the serial number of the security authentication terminal device is recognized.
- an authentication authority device for managing a security authentication terminal device for performing IoT communication, comprising: a PIN list for storing a secret key of the security authentication terminal device and a serial number of the security authentication terminal;
- the security authentication terminal transmits a message in which a public key for communicating in a public key encryption method and a serial number of the security authentication terminal are encrypted using the secret key, the security authentication terminal decrypts the message using the secret key and decrypts the security key.
- An authentication authority apparatus for checking the validity of the security authentication terminal apparatus in accordance with whether or not the serial number of the authentication terminal apparatus is recognized is provided.
- the terminal device in a method in which a terminal device performs security authentication to perform IoT communication, the terminal device generating the terminal device private key using a first PUF embedded in the terminal device ; Generating, by the terminal device, a public key for the terminal device to perform password authentication using the private key; And performing a password authentication with an external terminal or an external certification authority different from the terminal apparatus using the public key.
- the security authentication method comprises the steps of: receiving a message encrypted using a public key encryption scheme from the external certification authority; Decrypting the encrypted message using a public key of the external certificate authority previously stored; And when the serial number of the terminal device is confirmed in the decrypted message, completing the security authentication with the external certification authority.
- the security authentication method the serial number is stored in the serial number storage unit for storing the serial number of the terminal device and the path after the secret key is extracted first secret key is extracted It may further comprise the step of shutting off the fuse.
- the method of relaying a public key exchange for IoT communication between the first terminal device and the second terminal device requesting the public key of the first terminal device from the second terminal device Receiving step; Generating a first encryption message by encrypting the public key of the first terminal device together with the private key of the certification authority device together with the serial number of the second terminal device; And transmitting the first encrypted message to the second terminal device.
- the method may further include: encrypting a public key of the second terminal device using a private key of the certification authority device together with a serial number of the first terminal device to generate a second encryption message; And transmitting the second encrypted message to the first terminal device.
- the second terminal device decrypts the first message by using the public key of the certification authority device corresponding to the private key of the certification authority device and serializes the second terminal device in the decrypted first message. If the number is verified, the transmitted public key of the first terminal device can be trusted.
- the first terminal device decrypts the second message by using the public key of the certification authority device corresponding to the private key of the authentication authority device, and the serial number of the first terminal device in the decrypted second message. If is confirmed, the public key of the transmitted second terminal device can be trusted.
- FIG. 1 is a block diagram illustrating a security authentication apparatus according to an embodiment.
- FIG. 2 is a block diagram illustrating a security authentication apparatus according to an embodiment.
- FIG. 3 is a conceptual diagram illustrating an exemplary PUF structure used for implementing the secret key module or the private key module of FIG. 2 according to an embodiment.
- FIG. 4 is a conceptual diagram illustrating a process of registering a serial number with a security authentication device and registering a PIN in a PIN list according to an embodiment.
- FIG. 5 is a conceptual diagram illustrating a process in which security authentication devices are distributed from a factory and a PIN list is transmitted to a certification authority CA and registered according to an embodiment.
- FIG. 6 is a flowchart illustrating a process of registering a public key between a device and a CA according to an embodiment.
- FIG. 7 is a flowchart illustrating a process of validating a device according to an embodiment.
- FIG. 8 is a flowchart illustrating a process of exchanging public keys of devices with each other through a CA in order to perform security authentication between devices other than the CA according to an embodiment.
- FIG. 1 is a block diagram illustrating a security authentication apparatus 100 according to an embodiment.
- the device 100 performing the IoT communication may generate and retain a secure PIN or password by itself and perform knowledge-based authentication.
- the device 100 may include physical unclonable functions (PUFs) 110 that are robust against external security attacks and generate random, unique PINs.
- PAFs physical unclonable functions
- the PUF 110 generates a PIN that can be used as an authentication key for knowledge-based authentication.
- This PIN may be a random digital value generated by process variations that occur during the PUF 110 manufacturing process.
- this PIN may be a time-invariant digital value that is generated once and its value does not change with the surrounding environment. Since the PIN is not exposed to the outside, according to an embodiment, it is possible to prevent a security threat to the authentication scheme of the device 100.
- the authenticator 120 receives the PIN generated by the PUF 110 and knowledge. Based authentication can be performed.
- FIG. 2 is a block diagram illustrating a security authentication device 200 according to an embodiment.
- the device 200 may include a secret key module 220 and a private key module 250.
- the secret key module 220 and the private key module 250 may include a PUF.
- each of the secret key module 220 and private key module 250 has its own unique PUF, each PUF from the physical characteristics themselves secret key and private key Has Since the secret key and / or private key may be expressed as a PIN in the following description, a PIN may be understood as a concept including without excluding any secret key, private key, etc. used for security authentication of the device 200.
- PUF is a circuit that generates different function values even when fabricated with the same design drawing using characteristic deviations generated by process variations, and in some embodiments, a PIN of an IoT communication device is generated and provided. Strictly, it can be seen that the PIN is generated using the digital value itself, not by the physical characteristics of the PUF.
- a value obtained from an external trusted source may be used as a seed, and a value obtained by encrypting an original digital value generated by the PUF may be used as the PIN.
- the finally used PIN value may be Hash (V PUF
- the PIN can be easily changed by changing only the seed value when the private key is leaked in any path, thereby improving safety and convenience.
- the generation of such a PIN value is only some embodiments, and the embodiments include both a case in which the digital value itself generated by the PUF is used as the PIN and a case in which the value separately processed for the PUF is used as the PIN.
- the process of generating a new PIN by processing the digital value generated by the PUF is not mentioned one by one, the contents should be understood including all of these embodiments.
- the PUF since the PUF has an unpredictable random value, it can be used to determine the PIN of the device, and by using this, it is possible to prevent the problem of pre-leakage of the PIN that may occur when generated, injected, and stored in the memory.
- the PUF since the PUF is physically impossible to duplicate, the PIN number of the device 200 may be eliminated after being leaked or duplicated.
- the PIN value generated by the PUF is excellent in randomness and in the embodiments, it is reliable that the value generated once does not change with time.
- the PUF implementation will be described later in more detail with reference to FIG. 3.
- the serial number storage unit 210 stores a serial number of a unique value of a device provided by a factory in a manufacturing process of the device 200, and the device 200 from a factory.
- a unique serial number is entered into the device 200 via the I / O interface 231, and only once, not necessarily once, depending on the policy, but may be assigned only once for security reasons.
- the secret key may be extracted from the key module 220 to the outside having a factory or administrative authority.
- the device 200 may include a fuse 230.
- the fuse unit 230 physically blocks the connection between the secret key module 220 and the I / O interface 231 after the first secret key extraction described above, which is irreversible.
- the secret key module 220 is implemented by the PUF, which is physically impossible to replicate, and it is impossible or very difficult to extract the secret key by various reverse engineering including power analysis attacks.
- the device 200 includes a private key module 250 for generating a private key to be used in a public key encryption / decryption communication scheme, and the private key module 250 is different from the secret key module 220.
- the private key can be provided by a separate PUF.
- the private key generated and provided by the private key module 250 is physically isolated from the outside, and is not extracted from the manufacturing, distribution, and use of the device 200. Of course, for the same reason as the secret key module 220 described above, it is also impossible to artificially leak the private key by physical attack.
- the external leakage of the private key provided by the private key module 250 does not occur, and thus device authentication may be performed through the PIN generated by the device 200 by M2M.
- the public key generator 240 may select a public key to be used by the device 200 in the public key encryption / decryption communication scheme. Generated in the public key storage unit 260.
- the public key storage unit 260 may be a non-volatile memory according to an embodiment as a means for storing the generated public key.
- the public key storage unit 260 is configured to be optionally employed, and in another embodiment, the public key generated by the public key generator 240 whenever authentication is required without the public key storage unit 260. It is also possible to read.
- the encryption / decryption processor 270 may be understood as a Crypto-coprocessor for performing normal data encryption and decryption, and the configuration of transmitting and receiving actual encrypted data to and from the outside in the communication network is the communication interface 280.
- the first extracted secret key is mutually legitimate when exchanging a public key with a certification authority (CA), which is a management authority authorized to perform secure communication with the device 200. Used only as a means of identifying an entity.
- CA certification authority
- the secret key which is extracted once, is used for the first time but is not directly used for decryption. Instead, the secret key is used only in the process of sending the public key to the outside through secret key encryption, thereby ensuring double security. Therefore, the private key used for actual device authentication is never exposed to the outside.
- the device 200 may be a CA or other devices.
- the process of performing communication by checking validity with each other will be described in more detail with reference to FIG. 3.
- FIG. 3 is a conceptual diagram illustrating an exemplary PUF structure used for implementing the secret key module or the private key module of FIG. 2 according to an embodiment.
- PUFs Physically Unclonable Functions
- PUF may be referred to as Physical One-Way Function practically impossible to be duplicated (POWF), which may also be referred to as Physical Random Function (PRF).
- PUF Physical One-Way Function practically impossible to be duplicated
- PRF Physical Random Function
- PUF may be used to generate cryptographic keys for security and / or authentication.
- PUF may be used to provide a unique key to distinguish devices from one another.
- PUF used in the embodiments can solve this conventional problem and ensure time invariability and randomness at a very reliable level, but can be generated at a very low cost in the semiconductor manufacturing process.
- a random value is generated using randomness based on whether there is a short circuit between nodes existing in the semiconductor process.
- the PUF according to the embodiment shown in FIG. 3 is a size of a contact or via that is used to electrically connect between conductive metals in a semiconductor chip.
- the short circuit is determined randomly. In other words, it intentionally violates the design rule to generate a random PIN value.
- the new PUF circuit is composed of a very simple short circuit, there are no additional circuits or process steps, and no special measuring device is needed, so it can be easily implemented. And because the process characteristics are used, the stability can be satisfied while maintaining the randomness of the values.
- vias are formed between the metal 1 layer 302 and the metal 2 layer 301.
- the identification key generation unit 210 like the group 320, some of the vias short the metal 1 layer 302 and the metal 2 layer 301, and some of the vias are the metal 1 layer.
- the via size is set so that the 302 and the metal second layer 301 are not shorted.
- the design rule for the via size is different depending on the semiconductor manufacturing process.
- the design rule of the via is set to 0.25 micron in a Complementary metal-oxide-semiconductor (CMOS) process of 0.18 micron (um).
- CMOS Complementary metal-oxide-semiconductor
- the identification key generation unit 210 sets the via size to 0.19 microns so that the presence or absence of a short circuit between the metal layers is probabilistic.
- the probability distribution of such a short circuit should have a short probability of 50%
- the secret key module 220 and the private key module 250 may have a via size such that the probability distribution is as close as 50%. It is configured by setting. Such via size setting may be performed by experiment according to a specific specific semiconductor process.
- This embodiment eliminates the need for tamper-resistance to counteract physical attacks by providing the PUF with private or private keys to ensure randomness and invariability.
- Tamper-resistance which is mainly used in cryptographic modules to deal with physical attacks such as depackaging, layout analysis, and memory attacks, prevents the device from functioning normally by erasing the contents of the storage device. Protect the contents of the inside.
- the need for additional protection device or complicated implementation means not only increases the cost but also has the possibility of unintended equipment damage such as data erasing due to user error or failure.
- the PUF is implemented by the principle described in FIG. 3 as described above, there is no such problem.
- the present invention can provide a private key and a private key that maintains randomness and time immutability while maintaining a robust configuration against physical attack without requiring additional costs such as tamper resistance.
- FIG. 4 is a conceptual diagram illustrating a process of registering a serial number in a device 402 and extracting a PIN, which is a secret key, and registering it in the PIN list 403.
- step 410 the factory 402 producing the device 402 inserts a serial number (SN) which is a unique ID into the device.
- SN serial number
- the factory 402 extracts the PIN which is the secret key of the device 402, and stores the paired SN and the PIN which is the secret key in the PIN list 403 in step 430.
- the PIN that is the secret key of the device 402 may be a digital value generated by the PUF, which is the secret key module 220 of FIG. 2, but in another embodiment, a result of processing the digital value with a hash function or the like is generated. It may be a value.
- the process sends an overcurrent to the extraction circuit to supply the fuse. It may be to cut.
- the secret key is extracted only once and it is no longer possible to access or leak the PIN which is the secret key.
- the IoT communication devices are terminals of the IoT communication network, which mainly collect data using sensors and transmit data to a server. Sometimes data is exchanged with the same type of device.
- the IoT communication server is based on the IoT communication service platform, and collects and processes data produced by devices in a network and provides the same to a user.
- the service platform utilizes an open API (Application Platform Interface) to run various applications. Each application operating for different purposes exchanges data with the device, processes it into useful information, and provides it to the user through a terminal such as a PC or a smartphone.
- API Application Platform Interface
- the CA performs the authentication process to determine whether each device is a legitimate user, and when the device and the device communicate with each other, encrypts each other's public key with its own private key. It plays a role in helping to believe and use legitimacy.
- the CA and server may be integrated. If the server is combined with a CA, it also performs the authentication role for each device. In the following description, only the CA is illustrated and assumed to be integrated into the CA without separately indicating the server for convenience of description.
- the step of collecting the information (PIN, public key) of the IoT communication device for the authentication is essentially required, and the information collected in this process is It is standard information for determining the legitimacy of each device in the network.
- the entire process of executing the security authentication method according to the embodiment is 1) inserting the SN into the individual devices to extract the PIN to create a PIN list, 2) registering the PIN list in the CA, 3) the terminal And the public key exchange between the CA and the CA, and 4) authenticating the PIN to authenticate each other before communication commences.
- FIG. 5 is a conceptual diagram illustrating a process in which security authentication apparatuses 500 are distributed from a factory 501 and a PIN list 403 is transferred to a certification authority CA 502 and registered according to an embodiment.
- step 510 the devices 500 are distributed to their respective locations to be used.
- This distribution process refers to the general process of sales or distribution after manufacture of the devices 500.
- step 520 the CA 502 receives the PIN-list 403 via a secure offline path.
- step 530 the PIN-list received in step 530 is registered.
- FIG. 6 is a flowchart illustrating a process of registering a public key between the device 601 and the CA 602 according to one embodiment.
- step 610 the CA 602 sends a message requesting a public key to the device 601.
- step 620 the device 601 generates a message P by encrypting its SN and public key with its own private PIN.
- the device 601 transmits the message P to the CA 602. That is, the manner in which the device 601 sends its public key to the CA 602 uses a secret key encryption algorithm.
- step 640 the CA 602 receives this P and decrypts it using the secret key PIN of the device 601, and the public key PUB_KEY D of the device 601 is obtained.
- the CA 602 compares the identity of the decrypted SN with the SN of the device 601 performing authentication.
- step 660 the public key PUB_KEY D of the device 601 is registered in the CA 602's own PIN list.
- step 670 the CA 602 encrypts the SN and its public key PUB_KEY CA with the private key PIN of the device 601 to generate a message Q, and in step 680 this Q is sent to the device 601. To pass.
- Device 601 then decrypts this Q with a secret key algorithm to obtain SN and PUB_KEY CA.
- the device 601 compares the identity of the SN to verify validity. If the identity of the SN is confirmed, in operation 692, the PUB_KEY CA , which is the public key of the CA 602, is stored in its nonvolatile memory. Save it.
- the public key of each other is exchanged between the device 601 and the CA 602.
- data communication is performed using the public key of the other party.
- the device 701 and the CA 702 confirm each other's legitimacy before initiating communication with each other.
- FIG. 7 is a flowchart illustrating a process of validating the apparatus 701 according to an embodiment.
- the CA 702 generates the message P by encrypting the SN of the device 701 and nonce R, which is a random number for authentication, using its private key PRIV_KEY CA.
- the device 701 decrypts this P using PUB_KEY CA , which is the public key of the CA 702, in step 730.
- step 740 the validity is confirmed by comparing SN identity, and if the validity is confirmed, in step 750, the nonce R is again stored in the device 701's own private key PRIV_KEY. Encrypt with D
- This encrypted message Q is sent to the CA 702 in step 760, and in step 770 the CA 702 decrypts R using the public key PUB_KEY D of the device 701.
- step 780 when R is confirmed, validity confirmation is possible between the device 701 and the CA 702. Then, when data is exchanged with each other by the above-described public key encryption / decryption method, do.
- the server or other device that wants to communicate with the device must receive the public key of the device, which is generally similar to the above except that the CA, which is an intermediary, plays a role in the public key exchange process.
- the CA plays an intermediate role in verifying the legitimacy of exchanging a public key or in the process of exchanging an actual public key. This process will be described in FIG. 8.
- FIG. 8 illustrates a process in which devices 801 and 803 exchange each other's public keys through CA 802 to perform security authentication between devices 801 and 803 other than CA 802, according to an embodiment. It is a flowchart showing the.
- the second device 803 wants to exchange a public key to communicate with the first device 801.
- the second device 803 first requests the CA 802 to PUB_KEY D1 , which is the public key of the device 1 801.
- step 820 the CA 802 encrypts SN D1 , which is the serial number of the first device 801, with its private key PRIV_KEY CA , together with the public key PUB_KEY D2 of the second device 803, to encrypt the message P.
- step 830 the CA 802 encrypts SN D2 , which is a serial number of the second device 803, using its own private key PRIV_KEY CA together with the public key PUB_KEY D1 of the first device 801, and sends a message Q.
- the first device 801 decrypts P using the public key PUB_KEY CA of the CA 802 in step 850. Acquire the SN D1 and the public key PUB_KEY D2 of the second device 803.
- the first device 801 stores the public key PUB_KEY D2 of the second device 803 to be transmitted to the second device 803 afterwards. Used to encrypt a message.
- the second device 803 decrypts Q using the public key PUB_KEY CA of the CA 802 in step 880. To obtain the public key PUB_KEY D1 of the SN D2 and the first device 801.
- step 890 if the validity is confirmed by comparing the identity of the serial numbers SN D2 , the second device 803 stores the public key PUB_KEY D1 of the first device 801, and then sends a message to the first device 801. Used to encrypt
- the message to be sent to the other party is encrypted by using the public key of each other, similar to the communication between the CA and the device.
- Device 801 and second device 803 may communicate directly (891).
- the above description is the same except for the difference that the second device 803 is a server.
- the PUF-based secret key PIN is used in the knowledge-based authentication scheme, thereby satisfying all the requirements of non-disclosure, non-replicability, and uniqueness.
- the reliability of security authentication is ensured in various applications such as IoT communication, for example, an application using RFID, a smart grid application, and a cloud computing application. Nevertheless, the cost of ensuring such reliability is very low.
- Method according to an embodiment is implemented in the form of program instructions that can be executed by various computer means may be recorded on a computer readable medium.
- the computer readable medium may include program instructions, data files, data structures, etc. alone or in combination.
- Program instructions recorded on the media may be those specially designed and constructed for the purposes of the present invention, or they may be of the kind well-known and available to those having skill in the computer software arts.
- Examples of computer readable recording media include magnetic media such as hard disks, floppy disks and magnetic tape, optical media such as CD-ROMs, DVDs, and magnetic disks such as floppy disks.
- Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like.
- the hardware device described above may be configured to operate as one or more software modules to perform an operation, and vice versa.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims (19)
- 사물지능통신을 수행하는 단말 장치에 있어서,상기 단말 장치에 임베디드되며, 상기 단말 장치에 연관된 패스워드 인증을 위한 인증 키를 생성하는 PUF; 및상기 PUF가 생성한 상기 인증 키를 이용하여 상기 단말 장치에 연관된 패스워드 인증을 수행하는 인증부를 포함하는, 보안 인증 단말 장치.
- 제1항에 있어서,상기 PUF는 상기 보안 인증 단말 장치 외부와 물리적으로 격리되어 상기 인증키는 상기 보안 인증 단말 장치 외부로 유출되지 않는, 보안 인증 단말 장치.
- 사물지능통신을 수행하는 단말 장치에 있어서,상기 단말 장치가 공개키 암호화 방식으로 통신하기 위한 공개키를 비밀키 암호화 방식으로 전달하기 위한 비밀키를 제공하는 비밀키 모듈; 및상기 공개키를 생성하기 위한 개인키를 제공하는 모듈을 포함하며, 상기 비밀키 모듈 및 상기 개인키 모듈 중 적어도 하나는 PUF를 포함하여 구현되는 보안 인증 단말 장치.
- 제3항에 있어서,과전류 인가에 따라 차단되어 상기 비밀키가 추출되는 경로를 차단하는 퓨즈부를 더 포함하는 보안 인증 단말 장치.
- 제4항에 있어서,상기 퓨즈부는 상기 비밀키가 상기 단말 장치로부터 최초 추출된 이후에 상기 경로를 차단하는 보안 인증 단말 장치.
- 제3항에 있어서,상기 단말 장치의 시리얼번호를 저장하는 시리얼번호 저장부; 및상기 시리얼번호가 상기 시리얼번호 저장부에 저장되고 상기 비밀키가 추출된 이후에 상기 비밀키가 추출되는 경로를 차단하는 퓨즈부를 더 포함하는 보안 인증 단말 장치.
- 제3항에 있어서,상기 개인키를 이용하여 상기 공개키를 생성하는 공개키 생성부를 더 포함하는 보안 인증 단말 장치.
- 제3항에 있어서,상기 보안 인증 단말 장치는 외부 장치가 상기 공개키 암호화 방식으로 통신하기 위한 외부 장치의 공개키를 보관하고,상기 외부 장치로부터 메시지를 받으면 상기 메시지를 상기 외부 장치의 공개키를 이용하여 복호화하는 보안 인증 단말 장치.
- 제8항에 있어서,상기 보안 인증 단말 장치는 상기 복호화한 경우 상기 보안 인증 단말 장치의 시리얼번호의 동일성이 인정되는 지의 여부에 따라 상기 외부 장치의 정당성을 확인하는 보안 인증 단말 장치.
- 사물지능통신을 수행하는 보안 인증 단말 장치를 관리하기 위한 인증 기관 장치에 있어서,상기 보안 인증 단말 장치의 비밀키 및 상기 보안 인증 단말기의 시리얼번호를 보관하는 PIN 리스트를 포함하고,상기 인증 기관 장치는, 상기 보안 인증 단말기가 공개키 암호화 방식으로 통신하기 위한 공개키 및 상기 보안 인증 단말기의 시리얼번호를 상기 비밀키로 암호화한 메시지를 전송하는 경우 이를 상기 비밀키를 이용하여 복호화 하고 상기 복호화한 경우 상기 보안 인증 단말 장치의 시리얼번호의 동일성이 인정되는 지의 여부에 따라 상기 보안 인증 단말 장치의 정당성을 확인하는 인증 기관 장치.
- 단말 장치가 사물지능통신을 수행하기 위해 보안 인증을 수행하는 방법에 있어서,상기 단말 장치가 상기 단말 장치 내에 임베드된 제1 PUF를 이용하여 상기 단말 장치 개인키를 생성하는 단계;상기 단말장치가 상기 개인키를 이용하여 상기 단말 장치가 패스워드 인증을 수행하기 위한 공개키를 생성하는 단계; 및상기 공개키를 이용하여 상기 단말 장치와는 상이한 외부 단말 또는 외부 인증 기관과 패스워드 인증을 수행하는 단계를 포함하는 보안 인증 방법.
- 제11항에 있어서,상기 공개키를 비밀키 암호화 방식으로 외부에 전달하기 위한 비밀키를 상기 제1 PUF와 상이한 제2 PUF를 이용하여 생성하는 단계; 및상기 비밀키를 이용한 비밀키 암호화 방식으로 상기 공개키를 상기 외부 인증 기관과 교환하는 단계를 더 포함하는 방법.
- 제11항에 있어서,상기 외부 인증 기관으로부터 공개키 암호화 방식을 이용하여 암호화된 메시지를 수신하는 단계;상기 암호화된 메시지를 미리 저장되어 있던 상기 외부 인증 기관의 공개키를 이용하여 복호화하는 단계; 및상기 복호화한 메시지에서 상기 단말 장치의 시리얼번호가 확인되는 경우 상기 외부 인증 기관과의 보안 인증을 완료하는 단계를 더 포함하는 보안 인증 방법.
- 제12항에 있어서,상기 단말 장치의 시리얼번호를 저장하는 시리얼번호 저장부에 상기 시리얼번호가 저장되고 상기 비밀키가 최초 추출된 이후에 상기 비밀키가 추출되는 경로에 있는 퓨즈를 차단하는 단계를 더 포함하는 보안 인증 방법.
- 인증 기관 장치가 제1 단말 장치와 제2 단말 장치의 사물지능통신을 위한 공개키 교환을 중계하는 방법에 있어서,제2 단말 장치로부터 상기 제1 단말 장치의 공개키를 요청받는 단계;상기 제1 단말 장치의 공개키를 상기 제2 단말 장치의 시리얼번호와 함께 상기 인증 기관 장치의 개인키를 이용하여 암호화 하여 제1 암호화 메시지를 생성하는 단계; 및상기 제1 암호화 메시지를 상기 제2 단말 장치에 전송하는 단계를 포함하는 보안 인증 방법.
- 제15항에 있어서,상기 제2 단말 장치의 공개키를 상기 제1 단말 장치의 시리얼번호와 함께 상기 인증 기관 장치의 개인키를 이용하여 암호화 하여 제2 암호화 메시지를 생성하는 단계; 및상기 제2 암호화 메시지를 상기 제1 단말 장치에 전송하는 단계를 더 포함하는 보안 인증 방법.
- 제15항에 있어서,상기 제2 단말 장치는 상기 인증 기관 장치의 개인키에 대응되는 상기 인증 기관 장치의 공개키를 이용하여 상기 제1 메시지를 복호화 하고 상기 복호화한 제1 메시지에서 상기 제2 단말 장치의 시리얼번호가 확인되는 경우에 상기 전송된 제1 단말 장치의 공개키를 신뢰하는 보안 인증 방법.
- 제16항에 있어서,상기 제1 단말 장치는 상기 인증 기관 장치의 개인키에 대응되는 상기 인증 기관 장치의 공개키를 이용하여 상기 제2 메시지를 복호화 하고 상기 복호화한 제2 메시지에서 상기 제1 단말 장치의 시리얼번호가 확인되는 경우에 상기 전송된 제2 단말 장치의 공개키를 신뢰하는 보안 인증 방법.
- 제11항 내지 제18항 중 어느 한 항에 있어서, 상기 보안 인증 방법을 수행하는 프로그램을 수록한 컴퓨터 판독 가능 기록 매체.
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP16200543.3A EP3206330B1 (en) | 2011-08-16 | 2012-08-16 | Apparatus and method for authentication between devices based on puf over machine-to-machine communications |
ES12824527.1T ES2615750T3 (es) | 2011-08-16 | 2012-08-16 | Dispositivo y método para autenticación de seguridad entre dispositivos basados en PUF en comunicación máquina a máquina |
JP2014525936A JP2014528195A (ja) | 2011-08-16 | 2012-08-16 | 事物知能通信でpufに基づいた装置間セキュリティ認証装置及び方法 |
US14/238,946 US9787670B2 (en) | 2011-08-16 | 2012-08-16 | Apparatus and method for authentication between devices based on PUF over machine-to-machine communications |
EP12824527.1A EP2747335B1 (en) | 2011-08-16 | 2012-08-16 | Device and method for puf-based inter-device security authentication in machine-to-machine communication |
CN201280040144.9A CN103748831B (zh) | 2011-08-16 | 2012-08-16 | 机对机通信中基于puf的装置间的安全认证装置及方法 |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR20110081296 | 2011-08-16 | ||
KR10-2011-0081296 | 2011-08-16 | ||
KR10-2012-0089227 | 2012-08-16 | ||
KR1020120089227A KR101372719B1 (ko) | 2011-08-16 | 2012-08-16 | 사물지능통신에서 puf에 기반한 장치간 보안 인증 장치 및 방법 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2013025060A2 true WO2013025060A2 (ko) | 2013-02-21 |
WO2013025060A3 WO2013025060A3 (ko) | 2013-04-11 |
Family
ID=47897529
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR2012/006518 WO2013025060A2 (ko) | 2011-08-16 | 2012-08-16 | 사물지능통신에서 puf에 기반한 장치간 보안 인증 장치 및 방법 |
Country Status (8)
Country | Link |
---|---|
US (1) | US9787670B2 (ko) |
EP (2) | EP2747335B1 (ko) |
JP (1) | JP2014528195A (ko) |
KR (2) | KR101372719B1 (ko) |
CN (2) | CN103748831B (ko) |
ES (1) | ES2615750T3 (ko) |
TW (1) | TWI479870B (ko) |
WO (1) | WO2013025060A2 (ko) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2015034148A1 (ko) * | 2013-09-06 | 2015-03-12 | (주) 아이씨티케이 | 식별 키 생성 장치 및 방법 |
CN106062771A (zh) * | 2013-12-31 | 2016-10-26 | 有限公司Ictk | 随机数字值的生成装置以及方法 |
US20160335458A1 (en) * | 2013-12-31 | 2016-11-17 | Ictk Co., Ltd. | Apparatus and method for processing digital value |
CN106170944A (zh) * | 2014-01-31 | 2016-11-30 | 快普特奥姆特里有限公司 | 用于执行安全通信的系统和方法 |
WO2017014614A1 (ko) * | 2015-07-23 | 2017-01-26 | 주식회사 투아이피 | Iot 디바이스의 통신 클라이언트의 동작 방법 및 상기 통신 클라이언트를 포함하는 iot 디바이스 |
US10423067B2 (en) | 2013-08-27 | 2019-09-24 | Ictk Holdings Co., Ltd. | Apparatus and method for generating physical unclonable function by modifying photo mask of semiconductor process |
EP3122503B1 (en) * | 2014-03-28 | 2021-04-14 | Illinois Tool Works Inc. | Systems and methods for pairing of wireless control devices with a welding power supply |
EP3920058A1 (en) * | 2014-04-09 | 2021-12-08 | ICTK Holdings Co., Ltd. | Authentication apparatus and method |
Families Citing this family (62)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DK2693370T3 (en) * | 2011-03-31 | 2016-09-26 | Ictk Co Ltd | Device and method for generation of a digital value |
JP6030925B2 (ja) | 2012-11-12 | 2016-11-24 | ルネサスエレクトロニクス株式会社 | 半導体装置及び情報処理システム |
KR20140126787A (ko) * | 2013-04-22 | 2014-11-03 | (주) 아이씨티케이 | PUF 기반 하드웨어 OTP 제공 장치 및 이를 이용한 2-Factor 인증 방법 |
US10235261B2 (en) | 2013-07-26 | 2019-03-19 | Ictk Holdings Co., Ltd. | Apparatus and method for testing randomness |
WO2015037886A1 (ko) * | 2013-09-11 | 2015-03-19 | Kim Deoksang | 스마트 칩 인증 장치 및 그 방법 |
KR101489091B1 (ko) * | 2013-09-30 | 2015-02-04 | (주) 아이씨티케이 | 반도체 공정을 이용한 식별키 생성 장치 및 방법 |
KR101457305B1 (ko) | 2013-10-10 | 2014-11-03 | (주) 아이씨티케이 | 식별키 생성 장치 및 방법 |
TWI505131B (zh) * | 2013-11-27 | 2015-10-21 | Userstar Information System Co Ltd | 設備與設備配件驗證系統及方法 |
DE102013227184A1 (de) * | 2013-12-27 | 2015-07-02 | Robert Bosch Gmbh | Verfahren zur Absicherung eines Systems-on-a-Chip |
DE102014204044A1 (de) * | 2014-03-05 | 2015-09-10 | Robert Bosch Gmbh | Verfahren zum Widerrufen einer Gruppe von Zertifikaten |
WO2015156622A2 (ko) * | 2014-04-09 | 2015-10-15 | (주) 아이씨티케이 | 인증 장치 및 방법 |
TWI575460B (zh) * | 2015-03-23 | 2017-03-21 | 凌通科技股份有限公司 | 識別碼辨識系統以及使用其之識別卡 |
KR101567333B1 (ko) * | 2014-04-25 | 2015-11-10 | 주식회사 크레스프리 | IoT 디바이스의 통신 설정을 위한 이동통신 단말기와 통신설정모듈 및 이동통신 단말기를 이용한 IoT 디바이스의 통신 설정 방법 |
US20160065374A1 (en) * | 2014-09-02 | 2016-03-03 | Apple Inc. | Method of using one device to unlock another device |
KR101673163B1 (ko) | 2014-09-30 | 2016-11-08 | 고려대학교 산학협력단 | 듀얼 레일 딜레이 로직을 이용한 물리적 복제 방지 회로 |
US9641400B2 (en) | 2014-11-21 | 2017-05-02 | Afero, Inc. | Internet of things device for registering user selections |
US20160180100A1 (en) | 2014-12-18 | 2016-06-23 | Joe Britt | System and method for securely connecting network devices using optical labels |
US9832173B2 (en) | 2014-12-18 | 2017-11-28 | Afero, Inc. | System and method for securely connecting network devices |
US10291595B2 (en) | 2014-12-18 | 2019-05-14 | Afero, Inc. | System and method for securely connecting network devices |
US9497573B2 (en) | 2015-02-03 | 2016-11-15 | Qualcomm Incorporated | Security protocols for unified near field communication infrastructures |
US9544768B2 (en) | 2015-03-20 | 2017-01-10 | Hyundai Motor Company | Method and apparatus for performing secure Bluetooth communication |
US10045150B2 (en) | 2015-03-30 | 2018-08-07 | Afero, Inc. | System and method for accurately sensing user location in an IoT system |
US9704318B2 (en) | 2015-03-30 | 2017-07-11 | Afero, Inc. | System and method for accurately sensing user location in an IoT system |
EP3284007B1 (en) * | 2015-04-13 | 2023-10-25 | Visa International Service Association | Enhanced authentication based on secondary device interactions |
JP6329510B2 (ja) * | 2015-05-10 | 2018-05-23 | 渡辺 浩志 | 電子装置、電子装置ネットワークユニット、電子装置ネットワーク及びチップ認証方式 |
US9717012B2 (en) | 2015-06-01 | 2017-07-25 | Afero, Inc. | Internet of things (IOT) automotive device, system, and method |
US9699814B2 (en) | 2015-07-03 | 2017-07-04 | Afero, Inc. | Apparatus and method for establishing secure communication channels in an internet of things (IoT) system |
US9729528B2 (en) * | 2015-07-03 | 2017-08-08 | Afero, Inc. | Apparatus and method for establishing secure communication channels in an internet of things (IOT) system |
US10015766B2 (en) | 2015-07-14 | 2018-07-03 | Afero, Inc. | Apparatus and method for securely tracking event attendees using IOT devices |
JP2017028354A (ja) * | 2015-07-16 | 2017-02-02 | 渡辺 浩志 | 電子装置ネットワーク及びチップ認証方式 |
JP6532333B2 (ja) | 2015-07-21 | 2019-06-19 | キヤノン株式会社 | 通信装置、通信方法及びプログラム |
JP6570355B2 (ja) * | 2015-07-21 | 2019-09-04 | キヤノン株式会社 | 通信装置、通信方法及びプログラム |
KR102125564B1 (ko) * | 2015-07-29 | 2020-06-22 | 삼성전자주식회사 | 디바이스들 간의 통신 방법 및 그 디바이스 |
KR101686167B1 (ko) | 2015-07-30 | 2016-12-28 | 주식회사 명인소프트 | 사물 인터넷 기기의 인증서 배포 장치 및 방법 |
US9793937B2 (en) | 2015-10-30 | 2017-10-17 | Afero, Inc. | Apparatus and method for filtering wireless signals |
KR101922931B1 (ko) * | 2015-11-03 | 2018-11-28 | 주식회사 아이씨티케이 홀딩스 | 보안 장치 및 그 동작 방법 |
KR101678795B1 (ko) * | 2015-11-30 | 2016-11-22 | 전삼구 | 블록체인 인증을 이용하는 IoT 기반 사물 관리 시스템 및 방법 |
TWI593602B (zh) * | 2015-12-03 | 2017-08-01 | 新唐科技股份有限公司 | 無人飛行器之電子調速器驗證系統及方法 |
US10178530B2 (en) | 2015-12-14 | 2019-01-08 | Afero, Inc. | System and method for performing asset and crowd tracking in an IoT system |
US10523437B2 (en) * | 2016-01-27 | 2019-12-31 | Lg Electronics Inc. | System and method for authentication of things |
WO2017138799A1 (ko) * | 2016-02-12 | 2017-08-17 | 한양대학교 산학협력단 | 하드웨어 디바이스 및 그 인증 방법 |
WO2017138797A1 (ko) * | 2016-02-12 | 2017-08-17 | 한양대학교 산학협력단 | 시큐어 시스템 온 칩 |
CN108701193B (zh) * | 2016-02-12 | 2022-08-30 | 汉阳大学校产学协力团 | 安全半导体芯片及其工作方法 |
US11176237B2 (en) | 2016-06-12 | 2021-11-16 | Apple Inc. | Modifying security state with secured range detection |
US11250118B2 (en) | 2016-06-12 | 2022-02-15 | Apple Inc. | Remote interaction with a device using secure range detection |
US10271209B2 (en) | 2016-06-12 | 2019-04-23 | Apple Inc. | Session protocol for backward security between paired devices |
US11582215B2 (en) | 2016-06-12 | 2023-02-14 | Apple Inc. | Modifying security state with secured range detection |
US10348671B2 (en) * | 2016-07-11 | 2019-07-09 | Salesforce.Com, Inc. | System and method to use a mobile number in conjunction with a non-telephony internet connected device |
CN107689872A (zh) * | 2017-11-24 | 2018-02-13 | 北京中电华大电子设计有限责任公司 | 一种实现物理不可克隆功能的电路结构 |
KR102005111B1 (ko) * | 2017-12-20 | 2019-07-29 | 주식회사 유니로보틱스 | 블록체인시스템을 이용한 사물간 재화 또는 서비스 제공방법 |
US11265151B2 (en) * | 2018-03-09 | 2022-03-01 | Arizona Board Of Regents On Behalf Of Northern Arizona University | Key exchange schemes with addressable elements |
KR102078913B1 (ko) | 2018-03-16 | 2020-04-07 | 주식회사 아도스 | Pki 기반의 사물인터넷 기기 인증방법 및 인증시스템 |
CN108920984B (zh) * | 2018-07-06 | 2021-11-16 | 北京计算机技术及应用研究所 | 一种防克隆篡改安全ssd主控芯片 |
US10778451B2 (en) | 2018-07-30 | 2020-09-15 | United States Of America As Represented By The Secretary Of The Navy | Device and method for hardware timestamping with inherent security |
KR102125133B1 (ko) | 2018-08-08 | 2020-06-19 | 충북대학교 산학협력단 | 메시지 인증 장치 및 방법 |
IT201900007290A1 (it) * | 2019-05-27 | 2020-11-27 | Torino Politecnico | Apparato d'utente e metodo di protezione di dati riservati |
KR102364652B1 (ko) | 2019-08-01 | 2022-02-21 | 한국전자통신연구원 | 화이트박스 암호화를 이용한 puf 기반 사물인터넷 디바이스 인증 장치 및 방법 |
KR102459592B1 (ko) * | 2020-10-06 | 2022-10-28 | 주식회사 아이씨티케이 홀딩스 | 하드웨어 장치의 식별 정보를 생성하고 인증하는 전자 장치 및 이의 동작 방법 |
CN113055183B (zh) * | 2021-03-18 | 2022-04-12 | 电子科技大学 | 一种基于硬件指纹的身份认证和加密传输系统 |
CN113114475B (zh) * | 2021-04-23 | 2022-07-05 | 湖北工业大学 | 基于比特自检puf身份认证系统及协议 |
KR102491403B1 (ko) | 2021-09-02 | 2023-01-27 | 주식회사 엘지유플러스 | 물리적 복제 불가능 기능 기반 가입자 식별 모듈 보안 강화 방법 및 그를 위한 장치 및 시스템 |
TWI808042B (zh) * | 2022-11-25 | 2023-07-01 | 國立勤益科技大學 | 自動化雙因子驗證密碼擷取及安全傳輸驗證方法及其系統 |
Family Cites Families (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE3736882C2 (de) | 1987-10-30 | 1997-04-30 | Gao Ges Automation Org | Verfahren zur Echtheitsprüfung eines Datenträgers mit integriertem Schaltkreis |
US5228084A (en) | 1991-02-28 | 1993-07-13 | Gilbarco, Inc. | Security apparatus and system for retail environments |
TW381057B (en) * | 1997-08-07 | 2000-02-01 | Hitachi Ltd | Semiconductor device |
US6178506B1 (en) * | 1998-10-23 | 2001-01-23 | Qualcomm Inc. | Wireless subscription portability |
US6555204B1 (en) | 2000-03-14 | 2003-04-29 | International Business Machines Corporation | Method of preventing bridging between polycrystalline micro-scale features |
US6732101B1 (en) | 2000-06-15 | 2004-05-04 | Zix Corporation | Secure message forwarding system detecting user's preferences including security preferences |
TW512617B (en) | 2001-03-26 | 2002-12-01 | Inventec Multimedia & Telecom | Subscriber identification module switching system and method therefor |
US7802085B2 (en) * | 2004-02-18 | 2010-09-21 | Intel Corporation | Apparatus and method for distributing private keys to an entity with minimal secret, unique information |
CA2567250A1 (en) | 2004-05-18 | 2005-11-24 | Silverbrook Research Pty Ltd | Authentication of an object using a signature encoded in a number of data portions |
AU2005277198A1 (en) * | 2004-08-18 | 2006-03-02 | Mastercard International Incorporated | Method and system for authorizing a transaction using a dynamic authorization code |
EP1842203A4 (en) * | 2004-11-12 | 2011-03-23 | Verayo Inc | KEYS OF VOLATILE DEVICES, AND THEIR APPLICATIONS |
JP4524176B2 (ja) * | 2004-12-17 | 2010-08-11 | パナソニック株式会社 | 電子デバイスの製造方法 |
WO2007031908A2 (en) * | 2005-09-14 | 2007-03-22 | Koninklijke Philips Electronics N.V. | Improved device, system and method for determining authenticity of an item |
JP2009533742A (ja) * | 2006-04-11 | 2009-09-17 | コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ | データベースなしのノイジーな低電力puf認証 |
JP5113074B2 (ja) | 2006-11-06 | 2013-01-09 | パナソニック株式会社 | 情報セキュリティ装置 |
US9185123B2 (en) | 2008-02-12 | 2015-11-10 | Finsphere Corporation | System and method for mobile identity protection for online user authentication |
US8290150B2 (en) * | 2007-05-11 | 2012-10-16 | Validity Sensors, Inc. | Method and system for electronically securing an electronic device using physically unclonable functions |
US20110002461A1 (en) * | 2007-05-11 | 2011-01-06 | Validity Sensors, Inc. | Method and System for Electronically Securing an Electronic Biometric Device Using Physically Unclonable Functions |
ATE544123T1 (de) * | 2007-09-19 | 2012-02-15 | Verayo Inc | Authentifizierung mit physikalisch unklonbaren funktionen |
CN100565562C (zh) * | 2007-10-15 | 2009-12-02 | 北京派瑞根科技开发有限公司 | 电子标签安全认证方法 |
KR100922405B1 (ko) * | 2007-12-24 | 2009-10-16 | 주식회사 도담시스템스 | 인쇄회로기판 보안 및 복제방지회로 |
TW200943897A (en) | 2008-01-02 | 2009-10-16 | Verayo Inc | Authentication with physical unclonable functions |
CN103596123B (zh) | 2008-01-18 | 2017-05-10 | 交互数字专利控股公司 | 一种由m2me执行的方法 |
EP2129095B1 (en) | 2008-05-30 | 2012-07-11 | Koninklijke KPN N.V. | M2M communication using a plurality of SIM-less communication modules |
US7761714B2 (en) * | 2008-10-02 | 2010-07-20 | Infineon Technologies Ag | Integrated circuit and method for preventing an unauthorized access to a digital value |
US8683210B2 (en) | 2008-11-21 | 2014-03-25 | Verayo, Inc. | Non-networked RFID-PUF authentication |
KR101007739B1 (ko) | 2008-12-03 | 2011-01-13 | 주식회사 케이티 | Fota 서비스 제공 방법 및 그 시스템 |
KR101080293B1 (ko) * | 2009-01-13 | 2011-11-09 | 창신정보통신(주) | 무선 센서 네트워크에서의 악성 노드 탐지 장치 및 탐지 방법 |
KR101727130B1 (ko) * | 2010-01-20 | 2017-04-14 | 인트린직 아이디 비브이 | 암호화 키를 획득하기 위한 디바이스 및 방법 |
US8516269B1 (en) * | 2010-07-28 | 2013-08-20 | Sandia Corporation | Hardware device to physical structure binding and authentication |
US8694778B2 (en) * | 2010-11-19 | 2014-04-08 | Nxp B.V. | Enrollment of physically unclonable functions |
US8667283B2 (en) * | 2011-05-09 | 2014-03-04 | Verayo, Inc. | Soft message signing |
US20130141137A1 (en) * | 2011-06-01 | 2013-06-06 | ISC8 Inc. | Stacked Physically Uncloneable Function Sense and Respond Module |
US8762723B2 (en) * | 2011-07-07 | 2014-06-24 | Verayo, Inc. | Cryptographic security using fuzzy credentials for device and server communications |
-
2012
- 2012-08-16 ES ES12824527.1T patent/ES2615750T3/es active Active
- 2012-08-16 US US14/238,946 patent/US9787670B2/en active Active
- 2012-08-16 EP EP12824527.1A patent/EP2747335B1/en active Active
- 2012-08-16 CN CN201280040144.9A patent/CN103748831B/zh active Active
- 2012-08-16 KR KR1020120089227A patent/KR101372719B1/ko active IP Right Grant
- 2012-08-16 CN CN201710495108.6A patent/CN107579828A/zh active Pending
- 2012-08-16 TW TW101129804A patent/TWI479870B/zh active
- 2012-08-16 JP JP2014525936A patent/JP2014528195A/ja active Pending
- 2012-08-16 WO PCT/KR2012/006518 patent/WO2013025060A2/ko active Application Filing
- 2012-08-16 EP EP16200543.3A patent/EP3206330B1/en active Active
-
2013
- 2013-10-08 KR KR1020130120059A patent/KR101952601B1/ko active IP Right Grant
Non-Patent Citations (1)
Title |
---|
None |
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11003075B2 (en) | 2013-08-27 | 2021-05-11 | Ictk Holdings Co., Ltd. | Apparatus and method for generating physical unclonable function by modifying photo mask of semiconductor process |
US10423067B2 (en) | 2013-08-27 | 2019-09-24 | Ictk Holdings Co., Ltd. | Apparatus and method for generating physical unclonable function by modifying photo mask of semiconductor process |
US9984982B2 (en) | 2013-09-06 | 2018-05-29 | Ictk Co., Ltd. | Device and method for generating identification key |
EP3043281A4 (en) * | 2013-09-06 | 2017-02-08 | ICTK Co. Ltd. | Device and method for generating identification key |
WO2015034148A1 (ko) * | 2013-09-06 | 2015-03-12 | (주) 아이씨티케이 | 식별 키 생성 장치 및 방법 |
CN110263587B (zh) * | 2013-12-31 | 2023-04-07 | Ictk控股有限公司 | 随机数字值的生成装置以及方法 |
EP3091471A4 (en) * | 2013-12-31 | 2017-01-18 | ICTK Co. Ltd. | Apparatus and method for generating random digital value |
US20160335458A1 (en) * | 2013-12-31 | 2016-11-17 | Ictk Co., Ltd. | Apparatus and method for processing digital value |
US10872172B2 (en) * | 2013-12-31 | 2020-12-22 | Ictk Holdings Co., Ltd. | Apparatus and method for processing digital value |
US10771268B2 (en) | 2013-12-31 | 2020-09-08 | Ictk Holdings Co., Ltd | Apparatus and method for generating random digital value |
US10122537B2 (en) | 2013-12-31 | 2018-11-06 | Ictk Holdings Co., Ltd. | Apparatus and method for generating random digital value |
CN106062771B (zh) * | 2013-12-31 | 2019-05-17 | 有限公司Ictk | 随机数字值的生成装置以及方法 |
CN110263587A (zh) * | 2013-12-31 | 2019-09-20 | Ictk控股有限公司 | 随机数字值的生成装置以及方法 |
CN106062771A (zh) * | 2013-12-31 | 2016-10-26 | 有限公司Ictk | 随机数字值的生成装置以及方法 |
US10715328B2 (en) | 2014-01-31 | 2020-07-14 | Cryptometry Limited | System and method for performing secure communications |
CN106170944B (zh) * | 2014-01-31 | 2019-11-26 | 快普特奥姆特里有限公司 | 确保系统通信安全的方法、安全通信设备、公钥服务器 |
US9942045B2 (en) | 2014-01-31 | 2018-04-10 | Cryptometry Limited | System and method for performing secure communications |
US10862685B2 (en) | 2014-01-31 | 2020-12-08 | Cryptometry Limited | System and method for performing secure communications |
EP3100408A4 (en) * | 2014-01-31 | 2017-10-18 | Cryptometry Limited | System and method for performing secure communications |
CN106170944A (zh) * | 2014-01-31 | 2016-11-30 | 快普特奥姆特里有限公司 | 用于执行安全通信的系统和方法 |
EP3122503B1 (en) * | 2014-03-28 | 2021-04-14 | Illinois Tool Works Inc. | Systems and methods for pairing of wireless control devices with a welding power supply |
EP3920058A1 (en) * | 2014-04-09 | 2021-12-08 | ICTK Holdings Co., Ltd. | Authentication apparatus and method |
WO2017014614A1 (ko) * | 2015-07-23 | 2017-01-26 | 주식회사 투아이피 | Iot 디바이스의 통신 클라이언트의 동작 방법 및 상기 통신 클라이언트를 포함하는 iot 디바이스 |
Also Published As
Publication number | Publication date |
---|---|
CN103748831A (zh) | 2014-04-23 |
JP2014528195A (ja) | 2014-10-23 |
EP2747335A2 (en) | 2014-06-25 |
ES2615750T3 (es) | 2017-06-08 |
KR101952601B1 (ko) | 2019-06-03 |
EP3206330B1 (en) | 2018-12-26 |
EP2747335A4 (en) | 2015-05-27 |
KR101372719B1 (ko) | 2014-03-19 |
KR20130019358A (ko) | 2013-02-26 |
US20140310515A1 (en) | 2014-10-16 |
TWI479870B (zh) | 2015-04-01 |
US9787670B2 (en) | 2017-10-10 |
EP2747335B1 (en) | 2017-01-11 |
WO2013025060A3 (ko) | 2013-04-11 |
CN107579828A (zh) | 2018-01-12 |
EP3206330A1 (en) | 2017-08-16 |
CN103748831B (zh) | 2017-07-21 |
KR20130129334A (ko) | 2013-11-28 |
TW201342868A (zh) | 2013-10-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2013025060A2 (ko) | 사물지능통신에서 puf에 기반한 장치간 보안 인증 장치 및 방법 | |
WO2014175538A1 (ko) | Puf 기반 하드웨어 otp 제공 장치 및 이를 이용한 2-factor 인증 방법 | |
WO2018030707A1 (ko) | 인증 시스템 및 방법과 이를 수행하기 위한 사용자 단말, 인증 서버 및 서비스 서버 | |
US11349675B2 (en) | Tamper-resistant and scalable mutual authentication for machine-to-machine devices | |
WO2014030911A1 (ko) | 인증 정보 처리 장치 및 방법 | |
CN105389500A (zh) | 利用一个设备解锁另一个设备的方法 | |
CN107517221B (zh) | 一种无中心的安全可信审计方法 | |
WO2018151390A1 (ko) | 사물 인터넷 장치 | |
KR101993885B1 (ko) | 양자 보안칩 탑재 누수-원격검침 lpwan 서비스 제공 양자보안 통신시스템 | |
WO2020032351A1 (ko) | 익명 디지털 아이덴티티 수립 방법 | |
JP6479724B2 (ja) | 秘密鍵同期システム、ユーザ端末及び秘密鍵同期方法 | |
WO2015053559A1 (ko) | 차량 보안 네트워크 장치 및 그 설계 방법 | |
WO2015026183A1 (ko) | Sw 토큰을 이용한 오프라인 로그인 방법 및 이를 적용한 모바일 기기 | |
CN113872986B (zh) | 配电终端认证方法、装置和计算机设备 | |
CN113326528A (zh) | 一种基于大数据高安全性个人信息保护区块链应用方法 | |
KR20190102961A (ko) | 양자 보안칩 탑재 배전반 lpwan 서비스 제공 양자보안 통신시스템 | |
KR20190102950A (ko) | 방범용 CCTV PUF(eFUSE)-Q(T)RNG 단말기를 통한 통신방법 | |
TW202121867A (zh) | 基於管理者自發行票券的點對點權限管理方法 | |
WO2022119387A1 (en) | Method, electronic device and server for performing user authentication | |
KR20190049069A (ko) | Puf-qrng 보안단말기 탑재 cctv 영상감시장치 | |
US20230370247A1 (en) | Method for protecting a network access profile against cloning | |
KR102633218B1 (ko) | 클라우드 기반의 인공지능 시스템에 대한 컴퓨터 시스템의 등록 및 로그인 방법 | |
JP7337763B2 (ja) | 通信システム、通信方法およびプログラム | |
WO2024177213A1 (ko) | 머클트리 기반의 otp 인증 방법 및 시스템 | |
KR20190102972A (ko) | PUF(eFUSE)-TRNG 보안 시스템 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12824527 Country of ref document: EP Kind code of ref document: A2 |
|
ENP | Entry into the national phase |
Ref document number: 2014525936 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REEP | Request for entry into the european phase |
Ref document number: 2012824527 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2012824527 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14238946 Country of ref document: US |