Two-Factor Fuzzy Commitment for Unmanned IoT Devices Security

To create an environment for IoT devices, securely, it is necessary to establish a cryptographic key for those devices. Conventionally, this key has been stored on the actual device, but this leaves the key vulnerable to physical attacks in the IoT environment. To solve this problem, several research studies have been conducted on how best to conceal the cryptographic key. Recently, these studies have most often focused on generating the key dynamically from noisy data using a fuzzy extractor or providing secure storage using a fuzzy commitment. Thus, far, all of these studies use only one type of noisy source data, such as biometric data or physical unclonable function (PUF). However, since most IoT devices are operated in unmanned environments, where biometric data is unavailable, the method using biometric data cannot be utilized for unmanned IoT devices. Although the method using PUF is applied to these unmanned devices, these are still vulnerable against physical attacks including unintended move or theft. In this paper, we present a novel way to use the fuzzy commitment on such devices, called two-factor fuzzy commitment scheme. The proposed method utilizes two noisy factors from the inside and outside of the IoT device. Therefore, although an attacker acquiring the IoT device can access the internal noisy source, the attacker cannot extract the right key from that information only. We also give a prototype implementation for ensuring the feasibility of our two-factor fuzzy commitment concept by utilizing the image data and PUF data for two noisy factors.