Researchers working on the “physically unclonable functions found in standard PC components (PUFFIN) project” announced last week that widely used graphics processors could be the next step in online authentication.

PUFFIN is a joint project between Technische Universiteit Eindhoven in the Netherlands, Technical University of Darmstadt in Germany, Katholieke Universiteit Leuven in Belgium, and the Dutch security firm, Intrinsic ID. It seeks to find uniquely identifiable characteristics of hardware in common computers, mobile devices, laptops and consumer electronics.

Known as physically unclonable functions (PUF), the identifiable characteristics are uncontrollable products of the manufacturing process.

The end-goal is to use these features as authentication mechanisms online. As the researchers note, they are not interested in modifying hardware for this purpose, but rather, they’re interested finding some pieces or aspects of hardware that are inherently and uniquely identifiable.

The researchers realized that apparently identical graphics processors are actually different in subtle, unforgeable ways. A piece of software developed by the researchers is capable of discerning these fine differences. The order of magnitude of these differences is so minute, in fact, that manufacturing equipment is incapable of manipulating or replicating them. Thus, the fine-grained manufacturing differences can act as a sort of a key to reliably distinguish each of the processors from one another.

The implication of this discovery is that such differences can be used as PUFs to securely link the graphics cards, and by extension, the computers in which they reside and the persons using them, to specific online accounts.

The project’s lead researcher, Dr. Tanja Lange of Eindhoven Institute for the Protection of Systems and Information, told Threatpost in an email interview that the manufacturing differences were truly unclonable. So copying the GPUs perfectly is out of the question.

The more difficult question to answer at this point, she said, is whether someone could use software to emulate the differences in behavior between graphical processing units. Lange said the key is finding a way to guarantee, in an authentication process, that the party attempting to authenticate a user is communicating with an actual GPU and not software attempting to replicate its behavior and uniqueness. Lange went on to admit they aren’t quite there yet, which is why the product is not finished.

The PUFFIN project will run until 2015 and has a $1.65 million budget.

Categories: Web Security

Comments (12)

  1. Anonymous

    How can the physically unclonable function (PUF) of a graphics processor “be used as PUFs to securely link the graphics cards, and by extension, the computers in which they reside and the persons using them, to specific online accounts.”?

    How can authenticating against the graphics processor (hardware) uniquely identify the person (meatware) sitting at the keyboard? Do these PUFs also read the fingerprints of the person at the keyboard? Or, as a graphics processor, do they run a retina scan?

    I see no PII here.

    Just sayin…



  2. John Nagle

    There’s no paper on the Puffin site. Nothing that mentions what they’re measuring. Only a vague mention of “unitialized memory”. So this is vaporware for now.


  3. Conn Clark

    The whole premis for this research is flawed. It relys on subtle characteristics of chips remaining constant. As chips age subtle characteristics will change due to electro-migration and gate dielectric break down aswell as others.

  4. Anonymous

    That’s cool in a nerdy sort of way. Ten years out of date, tough. I guess they didn’t look at what’s already available, what used to be available and is no longer used, and why. This sentence puts ten years out of date: “link the graphics cards, and by extension, the computers in which they reside and the persons using them, to specific online accounts” 1 person 1 account! Commodity software that’s been widely available for many years already ties one account to on human user, across multiple devices, and without requiring special software on the client end. Consider the sites that get attacked, all day long, every day. Sites like Girls Gone Wild have tens of thousands of spoof attempts everyday. Sites like that have had an effective defense for many years. GGW, for example, uses the readily available Strongbox package which tracks the way the user users their mouse, among other things, to confirm that the user (human) really is who they say they are. Ten to fifteen years ago modern systems like Strongbox displaced earlier systems which assumed that 1 user = 1 device. These researchers are reinventing the steam engine.

  5. Jazz

    Since this would uniquely identify the hardware but NOT the user, wouldn’t this open up a whole host of security and usability issues?

    For example, say my brother has a smartphone and he uses the PUF of the GPU as the authentication key to his online accounts (bank accounts, accounts with service providers like his electric utility and phone company, etc.). Then his phone gets stolen. Now the thief has unmitigated access to his bank records and anything else that he locked with that PUF. If your hardware is your identity, then identify theft becomes as simple as property theft.

    Or it could be even simpler than that. Say he goes on a cruise and accidentally drops his phone overboard. Now there’s no way to get into his bank account at all. He can’t even reset the “password” because he doesn’t have the previous “password” (the PUF of the phone’s GPU) to authenticate himself long enough to set it to a new phone’s PUF. My brother would have to contact his bank to reset the account. And when he contacts them, he’ll have to have some other way of validating that he is who he says he is. But if he already has some other way of authenticating himself to them, then that would mean that the PUF was completely unnecessary in the first place!

    Or how about a family computer that’s shared between eight people, some of whom trust each other and some don’t? Since it’s one piece of hardware, it’s one PUF being used to authenticate access to the accounts of every user on that computer. So if Timmy wants to post on Facebook under Sally’s name, and Sally wants to post under Bob’s name, there’s nothing to stop them. One piece of hardware = one password, no matter what accounts are accessed or what users access them. Brilliant!

    In short, this is a truly terrible idea. It’s cool that we can find these PUFs, but you would have to be a complete lunatic to implement this.

  6. Anonymous

    Dudes stop thinking user authentication and think device authentication – TPMs, inter-device  trust and communication.

    “Once cheese has too  many holes, it ceases to be cheese.” – best thing I’ve heard all week. Are you Eric Cantona?

  7. Anonymous

    So not a single mention of what these actually PUF’s are?

    What kind of reporting is this?

  8. Anonymous

    They have done work with clock skews being unique across product lines, could be something along those lines. The neat thing about clock skews is they do change with age and environment but they change in preditable ways.

Comments are closed.