An embedded key management system for PUF-based security enclosures

Abstract

Hardware Security Modules (HSMs) are embedded systems which provide a physically secured environment for data storage and handling. The device is protected by an enclosure against adversaries. A supervisor circuit monitors the enclosure's integrity and deletes all Critical Security Parameters (CSPs), such as keys, upon a tamper event. While current solutions store CSPs in battery-backed memory, our novel batteryless solution exploits the Physical Unclonable Function (PUF) of the enclosure to derive a key encryption key (KEK). However, such a PUF-based solution requires a more complex Embedded Key Management System (EKMS) for integrity verification, PUF usage, and key management. In this paper, we address this issue by discussing an adversary model, deriving design requirements, and presenting a hardened firmware architecture for PUF-based security enclosures. We present the complementing security extensions for FreeRTOS that enhance the operating system's security. To verify the concept's feasibility, we implement the proposed system and evaluate its performance. Our results show that this security architecture for an EKMS can serve as a firmware basis for novel PUF-based HSMs.