DARPA Looks To End the Scourge of Counterfeit Computer Gear 75
coondoggie writes "Few things can mess up a highly technical system and threaten lives like a counterfeit electronic component, yet the use of such bogus gear is said to be widespread. A new Defense Advanced Research Projects Agency (DARPA) program will target these phony products and develop a tool to 'verify, without disrupting or harming the system, the trustworthiness of a protected electronic component.'"
Not going to happen (Score:4, Insightful)
"SHIELD demands a tool that costs less than a penny per unit, yet makes counterfeiting too expensive and technically difficult to do"
and at the same time
"What SHIELD is seeking is a very advanced piece of hardware that will offer an on-demand authentication method never before available to the supply chain"
These appear to be mutually exclusive.
Fairly easy and cheap. (Score:4, Insightful)
It seems to me that most of you didn't bother to read the article. In a nutshell, DARPA wants a small electrically isolated chip that acts as a RFID chip and sends an encrypted response to an interrogation. Method of use
1. Specialized probe scans chip. Obtains serial number of chip.
2. Specialized probe sends serial number information to centralized server.
3. Centralized server sends back to probe query string.
4. Probe passes onto chip, the query string.
5. Chip sends back encrypted response to query string.
6. Probe passes back to centralized server, encrypted chip response.
7. Centralized server sends back to probe "good" or "bad" results.
Notice that the encryption key may be unique for each chip. The keys are known by the centralized server, but don't need to be known by anything else.
In order to create a counterfeit, the attacker needs to do one of two things.
1. Duplicate an existing chip to include the serial number and encryption key.
2. Create a new chip with a new serial number and encryption key and implant that serial number and key into the database maintained by the centralized server.
If an attacker is capable of compromising the central server, then it's game over. But the assumption is that is a "hard task". So the security is likely to be aimed at protecting the encryption key for each chip. Perhaps store the key in TLC Nand and arrange for the value to be corrupted if it's exposed to light (and of course, encapsulate the chip in an opaque material).
So when you manufacture a "non-counterfeit" component, you
1. Manufacture component.
2. Glue a chip to the component.
3. Register the chip with the centralized server.
To verify that a component isn't a counterfeit.
1. Scan for chip and do the entire song and dance to verify the chip.