Counterfeiting continues to be a major problem in the electronics supply chain. IHS iSuppli reported last year that over 100 incidents of counterfeiting came to light each month in 2012, and that the number of high-risk suppliers increased by over 60 percent between 2002 and 2011.
More recently, US and UK organizations related to the electronics supply chain announced an initiative to share information on counterfeit and high-risk parts.
One approach to cut counterfeiting would be to adopt a business process that says that all parts must be sourced from authorized distributors. But counterfeits can be difficult to spot. They could be failed parts from an approved supplier that weren't destroyed and then diverted by criminals into the supply chain. Or, they could be lower-grade components repackaged to resemble more expensive devices.
PUF, the magic bullet
A better approach would be to build unique identifiers into components. But not all identification techniques are created equal.
A device code can identify a component as a member of a category of products. This code is easy for criminals to reverse engineer. If they figure out the marking technique, it becomes pretty much worthless.
Physically unclonable functions (PUFs) are considered to be both tamper resistant and hard to spoof. PUFs attempt to “tie a device to its mark of authenticity by leveraging inherent variations in manufacturing processes.” An untrusted supplier can't create a copy of the circuit because it's impossible to control manufacturing process variations.
PUFs take advantage of the fact that every integrated circuit on a board is somewhat different from its neighbors, even though they work the same. For example, internal static random access memory (SRAM) chips display patterns of ones and zeros when they are first powered up, which are random from one die to the next, but which are consistent for any one particular die. This pattern can be used as an unclonable device fingerprint. Unclonability means that it is “infeasible to produce two PUFs that are indistinguishable.”
Trust but verify
Testing for authenticity involves querying the certification circuitry with challenges and receiving responses consistent with a public key supplied by the manufacturer. That process requires the presence of specific hardware, such as embedded non volatile memory (eNVM) — memory that can retain stored information when not powered — to store the data, and a communications interface to allow the data to be read.
With this hardware in place, together with sufficient computational capability to implement cryptography, the manufacturer injects a secret key into the device at the point where the wafer is tested, followed by a digital certificate bound to the secret key at the assembly stage. This provides a certificate that has been signed by the original component manufacturer and which supports downstream anti-counterfeiting measures. The certificate can be interrogated at any point in the supply chain, allowing suppliers and end users to trace the authenticity of the components and providing a counterfeit-free downstream supply chain.