Researchers working on the “physically unclonable functions found in standard PC components (PUFFIN) project” announced last week that widely used graphics processors could be the next step in online authentication.
PUFFIN is a joint project between Technische Universiteit Eindhoven in the Netherlands, Technical University of Darmstadt in Germany, Katholieke Universiteit Leuven in Belgium, and the Dutch security firm, Intrinsic ID. It seeks to find uniquely identifiable characteristics of hardware in common computers, mobile devices, laptops and consumer electronics.
Known as physically unclonable functions (PUF), the identifiable characteristics are uncontrollable products of the manufacturing process.
The end-goal is to use these features as authentication mechanisms online. As the researchers note, they are not interested in modifying hardware for this purpose, but rather, they’re interested finding some pieces or aspects of hardware that are inherently and uniquely identifiable.
The researchers realized that apparently identical graphics processors are actually different in subtle, unforgeable ways. A piece of software developed by the researchers is capable of discerning these fine differences. The order of magnitude of these differences is so minute, in fact, that manufacturing equipment is incapable of manipulating or replicating them. Thus, the fine-grained manufacturing differences can act as a sort of a key to reliably distinguish each of the processors from one another.
The implication of this discovery is that such differences can be used as PUFs to securely link the graphics cards, and by extension, the computers in which they reside and the persons using them, to specific online accounts.
The project’s lead researcher, Dr. Tanja Lange of Eindhoven Institute for the Protection of Systems and Information, told Threatpost in an email interview that the manufacturing differences were truly unclonable. So copying the GPUs perfectly is out of the question.
The more difficult question to answer at this point, she said, is whether someone could use software to emulate the differences in behavior between graphical processing units. Lange said the key is finding a way to guarantee, in an authentication process, that the party attempting to authenticate a user is communicating with an actual GPU and not software attempting to replicate its behavior and uniqueness. Lange went on to admit they aren’t quite there yet, which is why the product is not finished.
The PUFFIN project will run until 2015 and has a $1.65 million budget.