The proliferation of Internet of Things (IoT) technologies has revolutionized the medical domain, ofering enhanced reliability and eficiency. However, the inherent vulnerability of these devices, often equipped with inadequate authentication mechanisms, poses significant threats to user privacy. To address these challenges, user-centric authentication leveraging asymmetric encryption has emerged as a valuable security measure across various domains. In this manuscript, we introduce a novel approach to authentication within the domain of the Internet of Medical Things (IoMT), capitalizing on the integration of Self-Sovereign Identity (SSI) and SRAM-based Physical Unclonable Function (PUF). Our approach stands out for its eficacy in resource-constrained environments, ensuring robust security without compromising operational eficiency. We present a concrete implementation under the SSI paradigm, showcasing a convenient time complexity, indicating its eficiency and suitability for practical use.
In recent years, the expansion of connected devices has changed the entire healthcare context,
introducing new opportunities in terms of remote patient monitoring, real-time diagnosis, and
personalized treatment. The ensemble of devices used in the healthcare domain created the
so-called Internet of Medical Things (IoMT), which range from wearable sensors to implantable
devices, collectively aimed at improving patient care and healthcare outcomes [
PUFs are digital circuits that operate on the challenge-response paradigm, where challenges and responses are bitstrings of a given length. The uniqueness of the mapping function is inherent, and its resistance to manipulation arises from exploiting nanoscale imperfections introduced during the circuit manufacturing process. Furthermore, the unpredictability of responses is maintained, as neither physical imperfections can be controlled nor successful cloning of devices is feasible. PUFs can be categorized as memory-based PUFs or delay-based PUFs. Delay-based PUFs determine responses by measuring diferences in signal propagation time over symmetric paths, exemplified by Arbiter-PUF or Anderson-PUF. In contrast, Memory-based PUFs, such as those utilizing SRAM (as implemented in our proposed approach), generate responses by exploiting nanoscale imperfections in symmetric memory cells.
IoT devices designed for medical applications often utilize SRAM as a common memory component. SRAM are a low cost memory technology and its inherent properties, such as variability and low-latency access, make it well-suited for medical IoT devices. One innovative application of SRAM in these devices is its utilization in conjunction with PUFs.
As SRAM-PUF cannot directly serve as a seed generator due to unstable memory cell responses,
the Fuzzy Extractor (FE) technique [
While PUF implementations often rely on custom circuits integrated into specialized
hardware platforms like Field Programmable Gate Arrays (FPGA) [
The concept of SSI represents a significant evolution in the area of digital identity management, which can be applied in the context of IoT. This approach puts individuals in complete and autonomous control of their digital identities at the center, transforming IoT devices into entities capable of interacting directly with end users in a secure and private manner.
In the SSI ecosystem, one of the key elements are decentralized identifiers (DIDs), which provide a unique and persistent way to identify digital entities such as people, organizations and devices. Each DID is composed of three parts: the DID URI scheme identifier, the identifier for the DID method, and the DID method-specific identifier. DIDs allow agents to maintain complete control over their digital identities without depending on central authorities.
Another crucial aspect of SSI are wallet credentials, which allow users to securely store their identity information and selectively and securely share it with third parties. Using encryption and digital signatures, wallet credentials ensure the authenticity and integrity of information, allowing agents to present only information relevant to a given interaction. So, the application of SSI in the IoT introduces the concept of device user-centric turning devices into entities that can manage their own digital identities and interact with other devices and services in a transparent and secure manner. This approach fosters greater privacy, security and interoperability in the IoT context, allowing agents to retain complete control over their personal information and decide how and when to share it.
IoT devices usually sufer from memory and power constraints, making security a critical
concern and posing limitations to the development of SSI within this context. Widely known
asymmetric key-based solutions such as RSA cannot be considered as part of lightweight
cryptography [
SSI leverages the cryptographic wallet to store and retrieve VCs. Each wallet is uniquely associated with a DID which is an identifier for the proposed context. When turning this concept into constrained environments and when considering an IoT device as a platform for holding this wallet, multiple challenges arise. In this paper, an alternative solution is proposed for managing wallet in SSI ecosystem, which is based on asymmetric keys by leveraging the intrinsic characteristics of IoT devices. Specifically, PUFs are utilized, which exploit inherent variations in production to generate a unique and stable seed for each device, enabling the generation of a private key and subsequently the derivation of a public key. Furthermore, the instability of the SRAM is leveraged to generate derived temporary keys for each session. Considering the vulnerability of IoT nodes to capture and hacking, which may result in the potential exposure of stored secrets, the utilization of a PUF becomes essential in addressing this risk. This system is developed using the SRAM PUF in microcontrollers with limited resources, focusing on the ATMEGA328P chip as a case study for generating reliable PUF responses.
The architecture of the proposed schema is composed of an ATMEGA328P microcontroller, connected with an ESP-32 representing the IoT node. The ATMEGA328P is used to generate a PUF to create asymmetric keys. Such keys can be used for multiple purpose, in the next section we will see how it will be leveraged for the generation of a cryptographic wallet and associated DID. In this section we limit the discussion to the operation which it is possible to perform on this key in order to create a secure authentication schema. Considering the constrained environment, we will first exploit a lightweight technique for generating key pairs starting from key material ofered by PUF; and then we leverage key exchange to produce a symmetric session key able to secure the communication between the device and external parties. In what follows we start the discussion from the key generation approach, then we discuss of session key algorithm and data encryption methods.
The key generation process of the proposed system is composed of a phase where a key is extracted from the PUF, and a second phase where this key is used for the generation of an asymmetric key pair.
The mechanism is depicted in Figure 1. In the primary phase it is necessary for the private key () to remain the same, so the challenge must be unique to obtain the same response.
Get Response noisy Ri from PUF Tprivi =Hash(Ri)
Tpubi =x25519_public_k
ey(Tprivi)
Temporary private and public keys
R=FE(Ri, h) KApriv =Hash(R)
KApub= x25519_public_key(KApriv)
Original private and public keys
This becomes a special case of PUF, known as single-challenge PUF, which can also be called Physically Obfuscated Key (POK) and represents a method for storing keys within an IC without actually storing them, thereby achieving greater resistance to device hacking. The challenge is represented by the need of reading a block of SRAM, which must be large enough to correctly perform the FE to reconstruct the same response every time and ensure security, but at the same time, it must be reduced as much as possible to decrease the resources used by the microcontroller. Based on various tests conducted, it was decided to use a key material of 304 bytes on 2 KB of ATMEGA328P SRAM, to be kept intact during the execution of the extractor algorithm. The response is represented by the efective reading of this block, which is then reconstructed by the FE. The reconstructed response is then hashed to create a of a fixed length 32 byte to be used in the asymmetric keys generator. Moreover, for the generation of a session key, we also use the same PUF to create a temporary private key (), which is inherently random due to the instability of SRAM. In this case, the PUF responses and SRAM block readings are not reconstructed; rather, they are only hashed to obtain a uniformly temporary secret key for use in the asymmetric key generator.
For the creation of asymmetric keys, the Monocypher library [19] has been used. Monocypher is a lightweight cryptography library designed to be portable, highly suitable for constrained environments and low-power microcontrollers, thanks to its minimal footprint and low processing demands. Deployment is straightforward; users simply need to add two files to their
Authen ca on
Server SharedSec= crypto_x25519(KApriv, KSpub) SharedK= blake2b(SharedSec, KApub KSpub)
SharedSec= crypto_x25519 (KSpriv, KApub)
SharedK= blake2b(SharedSec, KSpub, KApub) Enc{IDA, Tpub, SignED25519(IDA, Tpub)Tpriv}SharedK
Decrypt with SharedK
Get Tpub and verify sign SessionSec= crypto_x25519(KSpriv, Tpub)
SessionK= blake2b(SessionSec, KSpub, Tpub)
Enc{IDB, Tpub, KSpub, SignED25519(IDA, Tpub)Kpriv_S}SessionK SessionSec= crypto_x25519(Tpriv, KSpub) SessionK= blake2b(SessionSec, Tpub, KSpub)
Decrypt with SessionK
Verify sign, Tpub, KSpub project, which compile in both C99 and C++. Among its various functions, this library enables the generation of a public key from a given secret using the x25519 protocol. As depicted in both branches of Figure 1, the private key is given as input to the asymmetric key generator and is used to generate two key pairs. The first one is the long-live key pair ( ,), that can be used for the identification, while the second one is the temporary key pair ( ,), that can be leverage for the creation of a session key. The key diference between the two key pairs is the way in which the PUF response is used.
Original keys and temporary keys are exploited to securely obtain a session key to encrypt exchange data, as depicted in Figure 2. Specifically, crypto_x25519() performs an X25519 key exchange between NodeA and Server, both nodes have to use its secret key and the counterpart’s public key to create a Shared Secret (SharedSec). The shared secret, known only to those who know a relevant secret key (NodeA and Server), is not cryptographically random. It can not be used directly as a key. It has to be hashed in both parts, concatenated with its public key and counterpart’s public key using blake2b(), a cryptographically secure hash based on the ideas of ChaCha20, to obtain a shared key (SharedK). Node A sends the concatenation of its identifier (ID), ( ) (constructed as described in Section 4.2) and a sign of both, all encrypted with the SharedK. Encryption is performed using the AES algorithm, which in IoT devices provides a combination of security, eficiency, and adaptability, making it a popular choice for safeguarding sensitive data exchanged and stored on these resource-limited devices. On the other hand, signature generation is carried out using ED25519, which is an appealing choice due to its combination of resource eficiency, performance, security, and ease of implementation. The Server, after decrypting the message and verifying the sign, calculates the Session Key (SessionK) with the same method used for the SharedK, but using the of Node A. It sends back the concatenation of its ID, obtained from node A and a sign of both, all encrypted with the SessionK. Node A computes the SessionK in same way, decrypt the message and very the sign, and the server , which have to be the same of the first message to avoid replay attack. The obtained SessionK can be used to encrypt the communication between server and node, in order to allow the secure exchange of information for all the functions related to the management of identity.
In this section, we present a possible integration of the proposed system within a classical IoMT context by considering the authentication use case. Taking into account the advantages introduced by SSI, which can be seen as a complete framework for identification, authentication, and data encryption; we will leverage it as a possible implementation of our system. Typical IoMT scenarios are composed of multiple devices exchanging data with a gateway or, in more advanced systems, directly with an external server. For our scenario, we envision an IoT device comprising a secure element, such as the ATMEGA328P, and an ESP-32-based board for transmitting data to a server. This device continuously sends data to the server or at specified intervals. To ensure secure authentication and robust session key management, it is needed to implement secure identification mechanisms and flexible, renewable session key management protocols. These mechanisms safeguard user data during exchanges and mitigate identity spoofing risks. As evidenced by existing literature, the adoption of certificates or SSIbased solutions significantly enhances both the reliability and privacy of end-users. Therefore, integrating such solutions into IoMT environments promises to bolster security while preserving user privacy. The system proposed within this manuscript ofers all the cryptographic operations needed for the implementation of SSI, which will be discussed below.
According to DIDs Recommendation [20]: A DID document can express verification methods, such as cryptographic public keys, which can be used to authenticate or authorize interactions with the DID subject or associated parties.
In our implementation, we demonstrated the capability of IoT devices to extract a private key directly from SRAM material, endowing them with unique features. This facilitates the association of each IoT device with a long-lived public key , thereby enabling their identification. According to the SSI definition, each IoT device must possess a unique DID, which can be derived from the by applying a hash function to the public key. While previous solutions utilized the base58 function for this purpose, in our approach, the final DID used for IoT device identification is formulated as follows: = : : 58(25519__()). Through the utilization of this DID, it becomes feasible to uniquely identify an IoT device and validate its identity by verifying the signature applied to a message. Consequently, the issuer gains the capability to directly issue arbitrary data to the IoT device, which can subsequently be utilized for authentication purposes. The IoT device possesses the capability to consistently derive its associated private key , even in the absence of explicit storage within the device. While efective for identification purposes, it is apparent that this key cannot serve communication needs.
Once the long-live identifier has been defined, establishing a session key becomes imperative prior to initiating the authentication process. As demonstrated in the preceding section, we presented a temporary key pair extractor (Fig. 2) to address this requirement. To mitigate potential vulnerabilities, we propose a strategy wherein a distinct key is defined for each communication session. In our proposal, we assume that the server does not implement key derivation, a measure suficient to thwart replay attacks, given that the message exchanged from the IoT node A includes a form of nonce represented by its derived temporary key.
Upon completion of the exchange procedure by the server, it gains the ability to verify the identity of the IoT device by examining the signature applied to the message, which contains the DID of the party. Generating a signature in this scenario is relatively straightforward, as we already have an extracted private key available for credential signature. Once two parties have established a common symmetric secret, which dynamically changes with each new session, data and VCs can be encrypted for communication. The IoT Node typically retains a VC necessary for demonstrating its identity and the identity of the issuer. This enables authentication within the IoT node and facilitates the creation of a shared secret that can be utilized in lightweight algorithms.
In this section, we will focus on the performance of the proposed system in terms of time needed to execute the operations described in the section 4. For the evaluation of the performance we used an Arduino Uno equipped with ATMEGA328P microcontroller. Such a microcontroller holds 16MHz for the frequency clock, a 32KB flash memory, 2KB SRAM, and 1KB EEPROM memory. It is used only for the extraction of private key, which is used by an ESP32 for implementing the remaining functions needed to run SSI protocol. We decided to use this device to demonstrate the feasibility of the proposed system also within a really constrained environment. Regarding the work performed on Arduino, the time required for computing both original keys and temporary keys was measured, as explained in Section 4.2. The results obtained indicate an average time of 2.4 seconds for the former and 0.2 seconds for the latter. This disparity arises from the fact that the computational workload of the FE in reconstructing the key is more substantial, even though manageable as it only needs to be executed once upon restart. Measurements were also conducted for the various primary steps of the key exchange scheme outlined in Section 4.3. Specifically, the times for generating the public key according to the x25519 protocol, generating the shared secret and shared key, and generating the keys according to the Ed25519 protocol were evaluated. The results indicate very low microsecond-level times, on the order of 10− 2 seconds. Additionally, times were assessed for encryption, decryption, signing, and verification according to the AES and Ed25519 protocols, gradually varying the input size while remaining within the data exchange size ranges required for the operation of the SSI mechanism. The results demonstrate nearly constant times for signing and verification, namely 60 milliseconds for signing and nearly 100 milliseconds for verification. However, encryption and decryption times increase with increasing input size, yet remain relatively low for the size of the data utilized.
The rapid advancement of IoT technologies, particularly within the medical domain, has greatly enhanced reliability and eficiency in healthcare systems. However, the increasing vulnerability of these devices due to inadequate authentication mechanisms presents significant privacy and security risks. To mitigate these issues, user-centric authentication leveraging asymmetric encryption has emerged as a crucial security measure across various domains. This work introduced a novel approach to authentication within the IoMT by integrating SSI and SRAMPUF. Our approach tries to ofer robust security in resource-constrained environments without compromising operational eficiency. Through a concrete implementation exploiting the PUF mechanism, the solution demonstrates convenient time complexity, indicating that it is eficient and suitable for practical use. Future work will focus on testing the formal security of the proposed authentication mechanism. This includes employing formal verification, threat modeling, and conducting real-world deployment studies to ensure robustness and practicality in real-world scenarios.