Clone-Resistant Network Unit Identification

Abstract

Contemporary networks are lacking resilient identification for their participating entities as switches, hosts, terminals, mobile devices and others. Replacement attacks on such units represent a major security gap in many environments and applications. A provable and un-clonable physical unit identity was not an essential security requirement in most contemporary networks due to flexibility requirements avoiding expected increase in hardware complexity and the difficulty to cope with additional system identity. There has been also no essential necessarily for it in most practical operation. However, this missing physical security represents today serious threat as false network units could allow untraceable attacks. Once a network entity can be physically replaced by another fake unit, many denial of service attacks, intrusion and man-in-the-middle attacks become quite easy. Recently, "Physical Unclonable Functions" PUFs were proposed to generate unclonable physical identity. PUFs however are costly, complex to manage and exhibit inconsistent reproducibility due to aging and drifts as in voltage and temperature. In this work a practically hard to clone structures for network physical entities are proposed based on clone-resistant evolving dynamic identity concept. Units can be securely traced in an operating network in such a way that it is virtually infeasible to clone due to practical reasons. The proposed technique is combining the time scale as a true irreversible "one-way function" together with the transaction profile in the system environment to come up with practically unclonable identity after a short operation time. The paper demonstrates a sample scenario including new core cryptographic primitives towards creating and managing such clone-resistant identity in contemporary network units.