Cloning chips today involves reverse engineering their
innards, then mass-producing them for applications where OEMs cannot tell the
original from the clone. But what if chips had a physically unclonable function
(PUF) inside—an electronic "fingerprint" whose unique characteristics
could uniquely identify it? That would solve the counterfeiting problem with
the electronic version of "biometrics," which is exactly the business
of Verayo (San Jose,
Calif.).
RFID-based transit passes
are authenticated like an electronic passport by reading their encrypted
electronic fingerprint and comparing it to the fingerprint you get from
interrogating the chip.
Using technology licensed from the Massachusetts Institute
of Technology (MIT), Verayo uses PUFs to secure custom chips for the military,
field-programmable gate arrays (FPGAs) for industry, and now RFID tags for
consumer-oriented markets like the transit tickets you merely wave at a
train-platform turnstile to gain entry.
"Our chips with PUF electronic fingerprints exploit
unavoidable variations in the chip fabrication process that can uniquely
identify each chip," says Verayo’s Vice President of Marketing and Business
Development Vivek Khandelwalhese. "Since these manufacturing process
variations are impossible to control, model or replicate, the chips are
effectively unclonable."
Verayo was founded in 2005 by MIT electrical engineering
professor Srini Devadas, who invented the technology, along with Tom Ziola,
former vice president and general manager of MSN-TV
at Microsoft, and with seed funding from Khosla Ventures, a company started by
the founding chief executive officer of Sun Microsystems, Vinod Khosla. Verayo
has been operating on Defense Advance Research Project Agency (DARPA) contracts
to supply secure unclonable chips to the military. Now the company wants to
move into standard products with its M4H unclonable RFID tags.
Verayo's authentication scheme works like an electronic
passport, where your fingerprint is scanned, encrypted and stored back onto the
passport. When presented to customs, the inspector decrypts the fingerprint
from the electronic passport, and compares it to the fingerprint he just
collected from you. If they match, your identity is authenticated.
And likewise for Verayo's electronic passport. The
electronic fingerprint from the PUF circuit in an RFID-based transit pass, for
instance, is scanned, encrypted and stored back onto the RFID card. When it is
presented at a train platform, the transit authority decrypts the fingerprint
and compares it to the response just collected from the RFID tag. If they
match, the transit pass is authenticated.
"With an electronic passport, you extract the
fingerprint, decrypt it, then compare it with the results from scanning your
finger. If they match, then the person's identity is authenticated,"
Khandelwalhese explains. "We use the same method to identify whether our
RFID tags are authentic by comparing their response to a challenge to what we
get by extracting the electronic fingerprint from the tag and decrypting
it."
