Identification is the act of claiming an identity. For conventional authentication, the factors/attributes (attributes) used for authentication are selected from: something you know, something you have, and something you are. An identity is a set of attributes, both physical and perceptual, that uniquely defines a specific entity. Authentication is the act of confirming an identity based on presented attributes.
The authentication of an identity provides a specific level of identity assurance (i.e., the entity is most likely the entity it is claiming to be). In modern society, identification and authentication frequently occur remotely using computing devices by which an entity provides a set of static attributes specific to the identity it is claiming, and a remote server authenticates the claim. For example, an employee for a corporation remotely logs into the corporate network using a login ID and password, and the network confirms that the ID and password have permission to access the network by comparing with the database of the end-user's static ID. However, these identity specific attributes, when digitized, can be easily intercepted and cloned over network communications to allow for unauthorized access.
Existing authentication factors built on static identity information (such as login ID and password) have vulnerabilities that may compromise the security of a communication. With the increase in storage and connected transactions related to sensitive information (e.g., financial data), the consequence of identity misrepresentation can be disastrous. Therefore, the reliance on static identity information creates a challenging security problem.
A variety of software-based security solutions have been proposed for identity authentication protection. The most common is the use of encryption. An encryption key can be used to securely store and transfer sensitive data (e.g., identity attributes). However, the encryption key itself needs to be securely stored or transmitted. Software-based security solutions are also prone to tampering and the encrypted channel is susceptible to crypto-analysis and man-in-the-middle attacks.
Hardware-based security techniques build upon software based techniques and encompass a wide variety of technological innovations: random number generators, encryption key generators, smart cards, biometrics, etc. An existing hardware-based security solution is a Physically Unclonable Function (PUF). PUFs are based on unique, random, and complex characteristics inherent in physical structures consisting of billions of clustered molecules and/or atoms, and are typically derived from the characteristics of the wires and transistors that differ from chip to chip, and are normally associated with the physical characteristics unique to the Integrated Circuit (IC). PUFs can be used to create security applications such as random number generators, encryption key generators, and unique physical IDs, and have been used as a means of authenticating individual ICs or to generate cryptographic keys.
However, there are certain technical challenges and limitations associated with PUF usage: granular environmental control (e.g., temperature, power flow, pressure) and pure energy source generation (e.g., clean laser frequency or high precision electrical power source), exposure of challenge-response pair (CRP) at the manufacturing facility as well as minimization of size, weight and power, and cost to manufacture and deploy. Because of these technical challenges, PUF responses can deviate from the norm, increasing the cost of acquiring consistent and predictable responses. Additionally, the security guarantees provided by PUFs can be difficult to quantify. Additionally, while the positive attributes show some promise for identifying ICs, this technique is not appropriate for non-IC based hardware. In addition, hardware identification based on alpha numeric codes (or any static data) has logical limitations since the uniqueness of the hardware identity is easily compromised when this identity is translated or converted into a digitized form: identity spoofing, replication, and replay attack.
The need remains, therefore, for systems and methods that securely and reliably transmit information.