On the feasibility of deriving cryptographic keys from MEMS sensors

One of the main challenges in the internet of things (IoT) will be to guarantee the security of products and services enabled by it. A fundamental assumption in any cryptosystem is that secret-key material remains securely stored and unknown to attackers. To this end, physical unclonable functions have been proposed to store cryptographic secrets without the need to use non-volatile memory. In this work, we show that microelectromechanical systems (MEMS) sensors, ubiquitous in the IoT, can be used to generate a stable nearly fully entropic bit string that can be used as a secret or private key in a cryptographic algorithm. We provide experimental evidence of the stability of our methods by analyzing data from 468 off-the-shelf 3-axis MEMS gyroscopes subjected to different temperatures in the range typically required for consumer applications and standardized aging tests. The investigations are carried out on module level so that packaging influences are considered. We derive unique fingerprints from the sensors based on their characteristics, and we show that the false rejection rate (FRR) and the false acceptance rate (FAR) are below \(1 \times 10^{-6}\) for all applied test conditions. By adding up the values of FRR and the FAR, the highest probability for an authentication error is \(4.1 \times 10^{-6}\). Furthermore, we extract stable keys from the fingerprints. The extracted key length lies in a range between 27 and 150 bits depending on the applied test conditions and the used entropy estimation method.