Search

US-12627513-B2 - Methods and apparatus to derive and verify virtual physical unclonable keys

US12627513B2US 12627513 B2US12627513 B2US 12627513B2US-12627513-B2

Abstract

Methods, apparatus, systems, and articles of manufacture are disclosed. An example apparatus includes: instructions; and processor circuitry to execute the instructions to: retrieve a random number and a physical unclonable function (PUF) from a trusted environment; generate a virtual PUF (vPUF) based on a trusted operation including the random number and the PUF; and store the vPUF and the random number in a persistent storage.

Inventors

  • TAT KIN TAN
  • Siew Chin Lim
  • Boon Khai NG

Assignees

  • ALTERA CORPORATION

Dates

Publication Date
20260512
Application Date
20211220

Claims (18)

  1. 1 . An apparatus comprising: physical unclonable function (PUF) circuitry to provide a PUF; number generation circuitry; instructions; and at least one programmable circuit to be programmed based on the instructions to: generate a first virtual PUF (vPUF) based on a first message from a first client device, the first vPUF based on a trusted operation performed with a first number from the number generation circuitry and the PUF; generate a second vPUF based on a second message from a second client device, the second vPUF based on the trusted operation performed with a second number from the number generation circuitry and the PUF; cause transmission of the first vPUF to the first client device and cause transmission of the second vPUF to the second client device; cause storage of the first vPUF, the first number, the second vPUF and the second number in a persistent storage; and in response to a verification request from a third client device, the verification request including a third vPUF, use the third vPUF to look up a third number in the persistent storage, generate a fourth vPUF based on the trusted operation performed with the third number and the PUF, compare the fourth vPUF to the third vPUF to determine a verification result, and provide the verification result to the third client device.
  2. 2 . The apparatus of claim 1 , wherein the first number is a random number.
  3. 3 . The apparatus of claim 1 , wherein one or more of the at least one programmable circuit is to generate a third vPUF based on a third message from a third client device, the third vPUF based on the PUF and a third number from the number generation circuitry.
  4. 4 . The apparatus of claim 1 , wherein the first vPUF is associated with a microservice.
  5. 5 . The apparatus of claim 1 , wherein the trusted operation includes an involutory function.
  6. 6 . The apparatus of claim 5 , wherein the involutory function is an XOR operation.
  7. 7 . The apparatus of claim 1 , wherein one or more of the at least one programmable circuit is to: determine the third vPUF is valid based on the third vPUF matching the fourth vPUF; and determine the third vPUF is invalid based on the third vPUF not matching the fourth vPUF.
  8. 8 . The apparatus of claim 1 , wherein the first message is a request from the first client device for a session key to access a microservice, and one or more of the at least one programmable circuit is to cause the transmission of the first vPUF to the first client device to occur as a response to the request.
  9. 9 . A non-transitory computer readable medium comprising instructions to cause at least one programmable circuit to at least: retrieve a physical unclonable function (PUF) from PUF circuitry: generate a first virtual PUF (vPUF) based on a first message from a first client device, the first vPUF based on a trusted operation performed with a first number from number generation circuitry and the PUF; generate a second vPUF based on a second message from a second client device, the second vPUF based on the trusted operation performed with a second number from the number generation circuitry and the PUF; cause transmission of the first vPUF to the first client device and cause transmission of the second vPUF to the second client device; cause storage of the first vPUF, the first number, the second vPUF and the second number in a persistent storage; and in response to a verification request from a third client device, the verification request including a third vPUF, use the third vPUF to look up a third number in the persistent storage, generate a fourth vPUF based on the trusted operation performed with the third number and the PUF, compare the fourth vPUF to the third vPUF to determine a verification result, and provide the verification result to the third client device.
  10. 10 . The non-transitory computer readable medium of claim 9 , wherein the instructions are to cause one or more of the at least one programmable circuit to generate a third vPUF based on a third message from a third client device, the third vPUF based on the PUF and a third number from the number generation circuitry.
  11. 11 . The non-transitory computer readable medium of claim 9 , wherein the first vPUF is associated with a microservice.
  12. 12 . The non-transitory computer readable medium of claim 9 , wherein the trusted operation includes an involutory function.
  13. 13 . The non-transitory computer readable medium of claim 12 , wherein the involutory function is an XOR operation.
  14. 14 . A method comprising: retrieving a physical unclonable function (PUF) from PUF circuitry: generating a first virtual PUF (vPUF) based on a first message from a first client device, the first vPUF based on a trusted operation performed with a first number from number generation circuitry and the PUF; generating a second vPUF based on a second message from a second client device, the second vPUF based on the trusted operation performed with a second number from the number generation circuitry and the PUF; transmitting the first vPUF to the first client device and transmitting the second vPUF to the second client device; storing the first vPUF, the first number, the second vPUF and the second number in a persistent storage; and in response to a verification request from a third client device, the verification request including a third vPUF, using the third vPUF to look up a third number in the persistent storage, generating a fourth vPUF based on the trusted operation performed with the third number and the PUF, comparing the fourth vPUF to the third vPUF to determine a verification result, and providing the verification result to the third client device.
  15. 15 . The method of claim 14 , including generating a third vPUF based on a third message from a third client device, the third vPUF based on the PUF and a third number from the number generation circuitry.
  16. 16 . The method of claim 14 , wherein the first vPUF is associated with a microservice.
  17. 17 . The method of claim 16 , wherein the trusted operation includes an involutory function.
  18. 18 . The method of claim 17 , wherein the involutory function is an XOR operation.

Description

FIELD OF THE DISCLOSURE This disclosure relates generally to generation and management of unique identifiers and, more particularly, to methods and apparatus to derive and verify virtual physical unclonable keys. BACKGROUND A unique identifier (UID) is a value unique to an individual device. UIDs may be randomly generated and securely stored on a device at manufacture. A physical unclonable function (PUF) is a physical object that provides a physically defined output. PUFs generate a consistent output that can be used as a UID. UIDs and PUFs may be used as cryptographic keys to lock/unlock data. Cryptographic keys are used throughout computing to secure information. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a block diagram of an example system to derive and verify physical unclonable keys. FIG. 2 is a block diagram of an example server to implement the system to derive and verify physical unclonable keys. FIG. 3 is a sequence diagram of an example process to generate multiple vPUF keys. FIG. 4 is a sequence diagram of an example process to verify a vPUF key. FIG. 5 is a flowchart representative of example machine readable instructions and/or example operations that may be executed by example processor circuitry to implement the vPUF management circuitry of FIG. 2 to generate a vPUF. FIG. 6 is a flowchart representative of example machine readable instructions and/or example operations that may be executed by example processor circuitry to implement the vPUF management circuitry of FIG. 2 to verify a vPUF. FIG. 7 is a flowchart representative of example machine readable instructions and/or example operations that may be executed by example processor circuitry to implement the verification circuitry of FIG. 2 to verify a vPUF. FIG. 8 is a block diagram of an example processing platform including processor circuitry structured to execute the example machine readable instructions and/or the example operations of FIGS. 5-7 to implement the server of FIG. 2. FIG. 9 is a block diagram of an example implementation of the processor circuitry of FIG. 8. FIG. 10 is a block diagram of another example implementation of the processor circuitry of FIG. 8. FIG. 11 is a block diagram of an example software distribution platform (e.g., one or more servers) to distribute software (e.g., software corresponding to the example machine readable instructions of FIGS. 3-8 to client devices associated with end users and/or consumers (e.g., for license, sale, and/or use), retailers (e.g., for sale, re-sale, license, and/or sub-license), and/or original equipment manufacturers (OEMs) (e.g., for inclusion in products to be distributed to, for example, retailers and/or to other end users such as direct buy customers). In general, the same reference numbers will be used throughout the drawing(s) and accompanying written description to refer to the same or like parts. The figures are not to scale. Instead, the thickness of the layers or regions may be enlarged in the drawings. Although the figures show layers and regions with clean lines and boundaries, some or all of these lines and/or boundaries may be idealized. In reality, the boundaries and/or lines may be unobservable, blended, and/or irregular. As used herein, unless otherwise stated, the term “above” describes the relationship of two parts relative to Earth. A first part is above a second part, if the second part has at least one part between Earth and the first part. Likewise, as used herein, a first part is “below” a second part when the first part is closer to the Earth than the second part. As noted above, a first part can be above or below a second part with one or more of: other parts therebetween, without other parts therebetween, with the first and second parts touching, or without the first and second parts being in direct contact with one another. Notwithstanding the foregoing, in the case of a semiconductor device, “above” is not with reference to Earth, but instead is with reference to a bulk region of a base semiconductor substrate (e.g., a semiconductor wafer) on which components of an integrated circuit are formed. Specifically, as used herein, a first component of an integrated circuit is “above” a second component when the first component is farther away from the bulk region of the semiconductor substrate than the second component. As used in this patent, stating that any part (e.g., a layer, film, area, region, or plate) is in any way on (e.g., positioned on, located on, disposed on, or formed on, etc.) another part, indicates that the referenced part is either in contact with the other part, or that the referenced part is above the other part with one or more intermediate part(s) located therebetween. As used herein, connection references (e.g., attached, coupled, connected, and joined) may include intermediate members between the elements referenced by the connection reference and/or relative movement between those elements unless otherwise indicated. As such