AUTHENTICATION WITH PHYSICAL UNCLONABLE FUNCTIONS
First Claim
1. A method for authenticating a device using an authentication station, said device providing a capability to accept a challenge value from the authentication station and return a response value to the challenge value to the authentication station that depends on fabrication characteristics of the device, the method comprising:
- identifying the device, including accepting identification data at the authentication station from the device to be authenticated;
determining authentication data characterizing one or more pairs of challenge and response values associated with the identified device that were previously obtained by a trusted authority in communication with the device, wherein said retrieving of the data does not require communication between the authentication station and the trusted authority after identifying the device;
providing a first challenge value from the authentication station to the device;
accepting a first response value at the authentication station from the device;
determining whether the pair of the first challenge value and the first response value sufficiently match the authentication data.
1 Assignment
0 Petitions
Accused Products
Abstract
Physical Unclonable Functions (PUFs) for authentication can be implemented in a variety of electronic devices including FPGAs, RFIDs, and ASICs. In some implementations, challenge-response pairs corresponding to individual PUFs can be enrolled and used to determine authentication data, which may be managed in a database. Later when a target object with a PUF is intended to be authenticated a set (or subset) of challenges are applied to each PUF device to authenticate it and thus distinguish it from others. In some examples, authentication is achieved without requiring complex cryptography circuitry implemented on the device. Furthermore, an authentication station does not necessarily have to be in communication with an authority holding the authentication data when a particular device is to be authenticated.
-
Citations
33 Claims
-
1. A method for authenticating a device using an authentication station, said device providing a capability to accept a challenge value from the authentication station and return a response value to the challenge value to the authentication station that depends on fabrication characteristics of the device, the method comprising:
-
identifying the device, including accepting identification data at the authentication station from the device to be authenticated; determining authentication data characterizing one or more pairs of challenge and response values associated with the identified device that were previously obtained by a trusted authority in communication with the device, wherein said retrieving of the data does not require communication between the authentication station and the trusted authority after identifying the device; providing a first challenge value from the authentication station to the device; accepting a first response value at the authentication station from the device; determining whether the pair of the first challenge value and the first response value sufficiently match the authentication data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method for improving authentication error rates comprising:
-
providing multiple challenges to an entity; performing authentication of the entity based on corresponding responses to the multiple challenges.
-
-
17. A method for authenticating a device comprising:
-
providing a challenge to the device; combining the challenge with an identifier of the device stored at the device; and providing a response to the combination of the challenge and the identifier.
-
-
18. A method comprising:
-
maintaining multiple databases holding challenge-response pairs for devices; enabling authentication of devices using any one of the multiple databases; and substantially preventing disclosure information in any one of the databases based on disclosure of information in another of the databases.
-
-
19. A device security circuit comprising:
-
circuitry for combining a plurality of outputs, each output being determined by a corresponding control input for selecting physical characteristics of the device upon which the output depends; and using the combination of the plurality of outputs for a security function associated with the device. - View Dependent Claims (20, 21, 22, 23, 24)
-
-
25. A method for authenticating devices, each device providing a capability to accept a challenge value and return a response value to the challenge value that depends on fabrication characteristics of the device, the method comprising, enrolling each of a plurality of the devices, including:
-
providing a plurality of challenge values to the device; accepting a corresponding plurality of response values from the device; computing model parameters from the plurality of challenge values and corresponding plurality of response values, the model parameters being sufficient to predict response values corresponding to challenge values provided to the device; and storing the model parameters for subsequent use for authenticating the device. - View Dependent Claims (26, 27, 28, 29, 30)
-
-
31. A security device comprising:
-
a communication interface for accepting a challenge value from an authentication station and providing a corresponding response value to the authentication station; a sequencer for determining a sequence of configuration values based on the challenge value; and a response circuit whose functional characteristics depend on fabrication characteristics of the circuit that are substantially unique to the device, said circuit including configuration inputs coupled to the output of the sequencer such that an output of the response depends on a the configuration value and the fabrication characteristics; wherein the device is configured to accept the challenge value and generate the corresponding response value according to sequential configurations of the response circuit configured according to outputs of the sequencer. - View Dependent Claims (32, 33)
-
Specification