When a business relies on electronic components manufactured abroad, there is always a risk that somewhere along the long production line, one of the companies involved will abuse their trust. For example, it is possible to manipulate the structure of computer chips to incorporate a “Trojan horse.” There is also a risk that the design of valuable chips will be copied and counterfeited. To avoid this, many businesses opt to manufacture chips across dozens of production steps; the chip is partially built by multiple different companies, with the result that nobody knows the complete design. This strategy is called split manufacturing. This level of protection is particularly relevant for security-related components used for medical devices or banks, for example.
The use of tamper-proof casing on electronic components could prevent them from being manipulated over the course of a long assembly process. Georg Sigl knows exactly how it’s done. Like Eckert, Sigl is Professor of Security in Information Technology at TUM and is part of the leadership team at Fraunhofer AISEC. One of his specialties is PUFs: Physical, Unclonable Functions. This involves using the physical characteristics on the exterior of the electronic component to make the component tamper proof. Among other things, Fraunhofer AISEC has developed a protective film that encases security-related electronic components. “The film contains a double layer of fine wires,” Sigl explains. “In between are small capacitors with a measurable capacity.” This capacity is measured during the production process as a characteristic feature of the component and stored inside it as a security key.” Later, when the device is switched on, the capacity of the film is immediately measured. The key that enables the device to decrypt the software and begin boot-up will then be derived from this. If an attacker has damaged or replaced the film during production in order to manipulate the inside of the component, the key will no longer work.
Sigl’s first exposure to information security was in the 1990s. “For me, there was a secret, unknown element to it,” he explains. “The challenge in our area of research is that, as technology, architectures and algorithms become more tightly intertwined, new methods of attack are always being discovered – however, we are also developing new ideas for counter-attacks.” Ultimately, businesses and researchers are not only concerned with safety and security, but also with sovereignty over their own data and the maintenance of production. To this end, several Fraunhofer Institutes have been working on a new technology for several years: the RISC-V instruction set architecture, which defines the “brain” of the microcontroller as a computer unit. Today, the functionality of microcontrollers worldwide is largely based on one procedure, namely the instruction set architecture of the company ARM.
You have to pay a license fee to use it. Imagine if an architect could choose different components from a construction kit, from the foundation, to the roof, to the interior fittings. This enables them to build a variety of houses – but the “kit” itself comes from ARM. The individual elements cannot be modified, which limits the freedom of developers. On top of this, there are license fees to consider. That is why ten years ago, information technicians from the University of California developed an alternative that is available for free worldwide: RISC-V. “With RISC-V, we can adjust the chips easily and implement various security functions for data encryption, in particular post-quantum cryptography,” explains Carsten Rolfes, program manager for “Trusted Electronics” at the Fraunhofer Institute for Microelectronic Circuits and Systems IMS. The underlying concern is that current encryption procedures could be subverted by super-fast quantum computers in the future. Post-quantum cryptography should allow us to fight back. Processors and microcontrollers with an appropriate level of security could be manufactured with the help of RISC-V; these could then be used in medical devices, for example, and produced entirely in Germany and Europe. If global supply chains come to a standstill – as was recently the case during the pandemic – then 3D printers could be a lifeline for restoring production, at least for important components.