Hardware-Intrinsic Multi-Layer Security: A New Frontier for 5G Enabled IIoT

. 2020 Mar 31;20(7):1963. doi: 10.3390/s20071963

Algorithm 1 Multi-layered security model using PUF: New client

Objective:

(a)
The seven layer cloud model consisting of FPGA clouds verifies the identity of a new client FPGA ( $U_{B}$ ) who is requesting access.
(b)
The cloud model provides application access for the genuine client ( $U_{B}$ ).

Prerequisites:

(a)
New client $C l i e n t U_{B}$ , requesting application access is known to an existing client $U_{A}$ as a genuine applicant.
(b)
$C l o u d - F P G A s$ have built-in controllers to facilitate secure dynamic partial reconfiguration.
(c)
$C l i e n t - F P G A$ has built-in controllers to facilitate secure dynamic partial reconfiguration initiated by the cloud.
(d)
The $C l o u d - F P G A$ fabric is divided into two parts, (a) static fabric and (b) dynamic fabric. Static fabric consists of hardware configurations which existed before deployment. The dynamic fabric of the $C l o u d - F P G A$ is dedicated to configure additional security primitives (mostly PUFs) for any genuine clients using secure dynamic partial reconfiguration.
(e)
The $c l i e n t - F P G A$ fabric is divided into two parts, (a) static fabric and (b) dynamic fabric. Static fabric consists of hardware configurations which existed before deployment. The $C l i e n t - F P G A$ has secure remote DPR controllers in the static partition facilitating configuration of PUF mathematical model in the dynamic fabric, via an obfuscated bitstream.

Input: $P_{C T}$ , $D B_{F W}$ , $D B_{M E T A}$ , $D B_{V A U L T}$ , $D B_{I P S}$ , $D B_{A N T I M A L}$ of $U s e r U_{A}$

(a)
Tenant session: S
(b)
Contents of session packets: $P_{C T}$
(c)
Contents of FW: $D B_{F W}$
(d)
Contents of $T E N A N T_{M E T A} : D B_{M E T A}$
(e)
Contents of $T E N A N T_{V A U L T} : D B_{V A U L T}$
(f)
Contents of $I P S : D B_{I P S}$
(g)
Contents of $A N T I M A L W A R E : D B_{A N T I M A L}$

Note: $D B_{j}$ represents content $D B$ of layer j

Output: A value in Flag to show a successful dynamic partial reconfiguration ( $F l a g = 1$ ) or denied ( $F l a g = 0$ ).

Steps:

1.
Initialize $S = 1$ , $E = 1$
2.
$U_{i}$ to management plane $M P$ : request access to application A
3.
$M P$ to $U_{i}$ : $M P$ sends a random number $r a n d$ and a set of challenges $C H_{p}$ consisting of q challenge bits each of length ‘n’.
4.
$U_{i}$ calculates the following:
- $R i m_{p, j} = M i (C H_{p, j})$ , $p = 1 \dots q$ , $j = 1 \dots K$
- $R i m = {R i m_{p, j}$ , $1 \leq p \leq q$ , $1 \leq j \leq K$ }
- $C A_{i}$ = $S (E (R i m), r a n d)$
5.
$U_{i}$ to $M P$ : certificate $C A_{i}$
6.
foreach layer jdo
- (a)
  Initialize $M e m = 0$ , $M a t c h = 0$
- (b)
  If ( $E = 1$ )
  - (a)
    $M P : R i m_{p, j} = S^{'} (D (C A_{i}), r a n d)$
  - (b)
    $M P$ to $C l o u d - C_{i}$ : Set of challenges $C H_{p}$ and $R i m_{p, j}$
  - (c)
    $C l o u d - C_{j}$ calculates the following
    
    $R i f_{p, j} = P i (C H_{p, j}), p = 1 \dots q, j = 1 \dots K$
    
    if $N i j \geq 0.99$ $M e m = 1$
  - (d)
    if ( $P_{C T}$ $\in D B_{j}$ , | $D B_{j} \in {D B_{F W},$ $D B_{M E T A},$ $D B_{V A U L T}}$ AND $P_{C T} \notin D B_{j}$ , | $D B_{j} \in {D B_{I P S},$ $D B_{A N T I M A L}$ } ); $M a t c h = 1$
  - i.
    if ( $M e m & & M a t c h$ ), $E = 1$ ; proceed to next higher layer
  - ii.
    else Exit; set $E = 0$ , $S = 0$ ; DenyTenantAccess()
7.
if $S = 1$ ; AuthoriseTenantAccess()