A PUF-based Secure Bootstrap Protocol for Cyber-Physical System Networks

In this work, we propose a secure bootstrap protocol for Cyber-Physical Systems (CPS) that compose IIoT Networks. The main contribution of our work is a solution to establish secure communication channels in CPSs through a protocol that enables authentication and confidentiality without the need for constant external verification or pre-stored keys. The proposed protocol relies on the unclonable property of Physical Unclonable Functions (PUF) to build authentication tokens to establish trust between the devices, the gateway, and the Cloud. Devices registration is triggered by an authenticated operator, which informs the PUF responses of the respective device to an External Security Agent (ESA) alongside the identification of the target gateway. ESA and gateway are mutually authenticated using a Certificate Authority and communicate via a secure channel built with HTTPS. The device registration relies on the properties of PUFs to avoid the establishment of security channels via key agreement protocols (e.g., ECDH) and the usage of pre-stored keys. In this way, the PUF challenge response can be used as a secret between the gateway and the device to build trust and establish a secure channel. The presented solution addresses attacks like message replication, Man-in-the-Middle (MITM), and nodes impersonation while supporting gateway integrity check solutions and being free of pre-stored key vulnerabilities.