R+D CSIC

Spirs: hardware-based security that is affordable for IOT and electronic devices

The European project Spirs is developing affordable hardware-based solutions to enhance security against cyber attacks for small and medium-sized enterprises, allowing them to incorporate these measures into their devices without a significant increase in the final price. The aim is to provide high-security solutions, even for systems with limited resources, such as IoT (Internet of Things) devices. These latter, often wearables, face strict constraints in terms of size and weight.

In August 2022, the computer systems at the South Francilien Hospital Center in France were cyber-kidnapped, disrupting normal service operations and compromising the confidentiality of data for hundreds of patients. Similar incidents occurred in 2023 at the Hospital Clinic of Barcelona, a victim of a cyber attack, and in 2021 at the Autonomous University of Barcelona. In 2013, Yahoo also experienced a cyber attack. These cases, neither unique nor the latest, highlight the vulnerability of computer systems and citizens' data.

The security of many commonly used computer systems relies exclusively on software solutions, such as antivirus programs. However, this barrier can be breached by malicious software (malware), which is typically injected into the system remotely. Piedad Brox, a researcher at the CSIC in the Instituto de Microelectrónica de Sevilla (IMSE), explains, "Security integrated into the hardware is much more reliable because breaking it requires a physical attack, manipulating directly on the chips that are part of the device. It cannot be attacked remotely. However, hardware-based security can be extremely costly and unaffordable for small and medium-sized enterprises, increasing the final price of their devices and making them non-competitive in the market."

With this idea in mind, the European project Spirs (Secure Platform For ICT Systems Rooted at the Silicon Manufacturing Process) was launched, funded by the European Commission with 5 million euros. The project aims to develop hardware-based security solutions that are affordable. It involves the collaboration of 9 partners, including research centres, universities, and companies, working together to create a platform for designing various security solutions in two application contexts: Industry 4.0 and 5G infrastructures.

Piedad Brox, the project coordinator, clarifies that this platform is "a prototype that validates all the components and tools designed in the project, providing a complete solution that uses hardware as the cornerstone on which all security is built."

Following the principles of open science, the project will provide demonstrators of the platform that showcase its utility. Companies wishing to integrate such solutions into their products can reuse this material as a foundation and tailor it to their specific needs to offer more secure products. On the other hand, companies lacking the capabilities to make these adaptations can establish collaboration agreements with CSIC researchers, who will provide the necessary support.

Spirs platform is also capable of detecting physical changes, such as sudden temperature changes or variations in power supply, as these can be indicators of manipulation and a possible attack

Additionally, the Spirs platform is capable of detecting physical changes that may signal potential threats, such as sudden temperature changes or variations in power supply, as these can be indicators of manipulation and a possible attack.

A nanochip to protect against cyber attacks

The most recent outcome is a nanoscale chip that integrates a set of cryptographic primitives with various functionalities: digital identity generator, random number generators, hash functions, encryptors, and digital signature accelerators. The solution is modular, meaning that one or several primitives can be used, providing a higher level of security as more of them are incorporated. The combination of these primitives is referred to as the "Root of Trust" (RoT), as the system uses it as a foundation to build the entire set of digital security services against cyber attacks.

"This nanochip allows, among other functionalities, the generation of a unique digital identity for the device, which can be used to create high-security ephemeral cryptographic keys, as well as generate random numbers that meet the quality criteria set by the international standardization body NIST," adds Brox.

This initial chip is a prototype. In the future, depending on the device to be protected, more or fewer components will be incorporated into the chip's Root of Trust (RoT), enabling a good balance between the level of security and the cost of the final implementation.

Digital identities impossible to impersonate

One of the cryptographic primitives that the chip incorporates is a "physical unclonable function," capable of providing the device with a unique digital identity, as it is inherent to the underlying hardware. Piedad Brox clarifies, "During the chip manufacturing process, there are always factors that cause tiny differences between microchips derived from the same design." A minuscule irregularity on the chip's surface or a slight deviation of light during the lithographic process in its production causes that no chip is entirely identical to another, even if manufactured on the same silicon wafer. "It's like fingerprints that allow distinguishing between two identical twins with the same genetic map," illustrates Piedad Brox.

"The physical unclonable function causes each chip to respond differently to a stimulus, enabling the chip to be unequivocally identified. It is a robust digital identity that, as Brox adds, cannot be cloned and is challenging to steal because it is not stored in memory but generated on-demand each time it is needed. "Even we, the chip designers, do not know it; we cannot anticipate its value because it depends on an intrinsic variability in the manufacturing process that cannot be predicted," asserts the researcher.

Some of the women of @SPIRSProject are presenting an important foward step in the project: secure and measured boot pic.twitter.com/ZhdnDj6Gru

— SPIRS Project (@SPIRSProject) February 19, 2024

Achieving security and digital sovereignty in Europe

The Spirs project, which met a few days ago in Barcelona, contributes to boosting Europe's digital sovereignty by ensuring that all solutions are developed for RISC-V microprocessors, based on a free Instruction Set Architecture (ISA). This avoids licensing costs (royalties) to external companies such as ARM and Intel. In Spain, the government has launched the Perte Chip for microelectronics and semiconductors to strengthen the design and production capabilities of the microelectronics and semiconductor industry.

The creation of the first chip in the Spirs project underscores the team's expertise, led by researcher Piedad Brox, in the field of hardware digital security. 'This sector is crucial for ensuring the development of a secure, trustworthy, and incident-free digital society that safeguards public and private services in the European Union,' emphasizes the CSIC researcher

The Spirs consortium is composed of: Instituto de Microelectrónica de Sevilla IMSE-CSIC (Spain), Instituto de Tecnologías Físicas y de la Información ITEFI-CSIC (Spain), Tampere University (Finland); Telefónica (Spain); Politecnico di Torino (Italy); LINKS Foundation (Italy); Commissariat à l’Energie Atomique et aux Energies Alternatives - CEAA (France); Thales DIS (Germany); NEC (Germany); and Next SRL (Italy).

 Mercè Fernández / Communication CSIC

• Prev
• Next