Q&A PUF Cafe Episode 3
Vincent: The first question that I have is can this solution be used in combination with any certificate authority or only with certain ones?
Brian: It is actually very flexible. If you have an existing cloud connected IoT device already and you're happy with your cloud service, we can still help you with our authentication service, for example. So you can use any cloud service you want. Generally, we don't talk about Amazon, Microsoft or Google cloud services specifically, because we really support any cloud. So depending on which one you're using or which one you want to use, we can support the authentication service. We don't have any preference. It's entirely up to you, which cloud service you want. We can make recommendations based on what our existing customers use, but you can literally use any certificate authority you want.
Vincent: It sounds like the programming machine is specific to a customer. That sounds very expensive and requires rather high volume. That seems like a blocker for product efforts that might be hundreds per year. How do you look at that?
Brian: So the programming machines are located in our provisioning centers, which are located all over the world. So, we have the cost of the programming machine. We offer programming as a service to our customers. The customer doesn't have to pay for a programming machine. We offer the production programming as a service. The only cost would be, depending on the security solution you pick, that there might be a small tooling fee. The cost of the programming machine, which we designed in our R&D center in the Czech Republic, is not for the customer to pay for.
Vincent: How are the bits errors removed from the regenerated SRAM PUF in an authentication service? Is there any specific approach for resource constrained devices?
Kamal: Our IP has a mechanism in place which, which handles the bit errors. The whole idea here is to regenerate the same key over and over again. And the key is not available when the devices is not powered up. So the IP has those mechanisms in place, also for the resource constrained devices.
Vincent: Indeed, for the first part of the question, when it comes to authentication service, everything is based on, on regenerating cryptographic keys. That's how the SRAM PUFs are used. The SRAM PUF itself is not used in an authentication protocol. It's only about regenerating secret keys that remain inside of the device. I think that's, that's a very important aspect to highlight here.
Next question. During the process, what happens in an EPS facility, or does everything happen at the customer? How does that work?
Brian: The software development is really the main thing that happens at the customer's side. Once they have that done, they can get to the volume curve that we talked about. What's done on their side is they're going to have this security development tool, which is one of the tools that we talked about as being important, and that's what allows them to create the encrypted package. Once that’s send to us, we really do the rest. We take that package and it goes into our HSM. It is decrypted by the HSM, within our programming machine, and then the device is programmed. At that point we're able to deliver fully provisioned devices anywhere and wherever the customer wants. All that happens at the EPS facility, the customer only has to send the encrypted package and we provide them with the tools to do that. We're trying to make security quite easy for the customer.
Vincent: Do many IoT device makers already practice secure provisioning? Or is this something that the IoT is lagging behind in compared to some other industries?
Brian: There's definitely a lot of people talking about security and a lot of people are designing new devices that have these great security features. But a lot of people aren’t yet taking advantage of the security features that they have. If you have an SRAM PUF, people need to take advantage of those features that are on their device. So, I would say that probably the IoT is lagging behind in this, but they already have the capabilities. But they need really to pull in partner companies like EPS and Intrinsic ID to learn how you take advantage of these features in production. So, I would say IoT industries are lagging behind, but it's not going to be difficult to take advantage and enable security on their existing designs and new designs.
Kamal: I agree. I think overall, as everybody is catching up to security and obviously secure provisioning, a whole ecosystem is being built and a lot of companies are aware of that. But on the whole, yes, I agree that there is a lag and things are lagging behind, but people are catching up. So I think security in IoT devices is very important and everybody will catch up soon.