IoT Security & Cryptography

Under Development

The Basics for IoT Devices

Implement TLS/SSL for IoT devices that connect to the internet. TLS, also called SSL, and HTTPS will encrypt all data transmitting between the IoT device and the service on the internet.

In addition to using TLS to encrypt data that is transmitted, you also need to authenticate the host certificate. The way to do this is to generate a fingerprint or certificate for the server you are connecting to, and then provide this to the software you are using on the IoT device to make the TLS connection.

How to verify a server/host identify

Secure authentication keys by using a Crypto Authentication Chip.

Cryptography

Adafruit IoT Security Tutorial

Cryptographic Authentication

On a high level, this involves data, digital signatures and verification.

Private & Public Keys

The private key is a unique chunk of data that resides on a protected part of the co-processors memory (usually written when the chip is manufactured). The private key is acquired (output) using an algorithm that includes complex math called Elliptic Curve Cryptography (ECC). The public key is also generated via the ECC and is accompanied with a private key. (how does the receipient acquire the public key?)

Digital Signatures

The data we want to exchange and then authenticate is called the message. The digital signature is generated from the message and the private key. A digital signature or 'public key certificate' is included with a message as a separate chunk of data. ECC generated digital signatures unlike most digital signatures, they are unique even when the message content is the same.

If your message is larger than what is supported for digital signature generation, then create a hash of the data, and generate the digital signature from that hash. (share the hash with the receipient?)

Verification

The exernal public key, the signature, and the ECC running on a separate co-processor is used to verify or authenticate the digital signature and message. (how does the receipient acquire the public key? )

Secure Element Chip / Crypto Authentication Chip

A secure element chip stores authentication keys (private and public). The authentication keys are written at the factory before deployment, and then read out via I2C.

The Adafruit ATECC608 Breakout stores tokens once, and then you read them over I2C. It also has hardware support for random number generation, and SHA-256/HMAC hash functions.

Adafruit Infineon Trust M Breakout Board is a crypto authentication chip with ECC NIST P256/P384, SHA-256, TRNG, DRNG, RSA® 1024/2048. This chip can store your private keys securely, as well as generate true random numbers.

Hardware-Based Trust Provides Key to IoT Security

Token-Based Authentication

Token-Based Authentication, relies on a signed token (hash) that is sent to the server on each request. The authentication token is generated (previously) by the server and is unique to the client/user.

JSON Web Token (JWT) is a JSON-based open standard (RFC 7519) for passing claims between parties in web application environment. The tokens are designed to be compact, URL-safe and usable especially in web browser single sign-on (SSO) context.

Note that a Secure Element Chip / Crypto Authentication Chip typically doesn't provide a means to store an unaltered Authentication Token and then later retrieve it for use in an HTTPs request. They do store a X.509 certificate that can be retrieved, but it must be DER (Distinguished Encoding Rules)-encoded (which means that they are in binary format).

Cyber Security Standards

NIST Cybersecurity Framework (CSF)

ISO 2700x Guidelines

ISA/IEC 62443

The ISA/IEC 62443 standards were purpose-built to address security issues unique to industrial automation and control systems (IACS) and operational technology (OT).

Encryption Standards

AES

AES meets U.S. Government requirements for HIPAA data protection, and FINRA standards for protecting financial records.

ISO 29192 makes recommendations for cryptographic primitives specifically tuned to perform on constrained “low end” devices.

Passwords Character Set

These characters are the preferred set for passwords that must be typed or human visually acquired:

A, C, E, F, H, J, K, L, M, N, P, R, T, U, V, W, X, Y, Z
2, 3, 4, 6, 7, 9
#, $, %, ^, &, *, (, ), =, +, [, ], {, }, /, \, ?

IoT Protocol Security Recommendations

MQTT

MQTT must be implemented with SSL/TLS because it has built-in support for password-based authentication fields in its CONNECT message (OAISS-OPEN) that are in plain text. One of the main advantages of MQTT broker is that it eliminates vulnerable and insecure client connections.

A MQTT broker receives all messages and coordinates the publishing of messages to clients that are subscribed. The MQTT connection is only between one client and a broker. When a broker receives a command from a client to connect, it must determine if the client is eligible to connect based on the client id, username, and password sent by the client (username and password are optional, but for security reasons, must be required). A client must be required to authenticate it's identity with a X.509 digital certificate. The use of a X.509 certification requires implementation of TLS (Transport Layer Security) as its encryption method. X.509 certifications verify the identity of the MQTT client, and provides authentication at the transport level.

A client connecting to a broker can either publish, or subscribe to topics. Client subscription to topics is the main resource available to them. Authorization may be done by Role Based Access Controls (RBAC), or Access Control List (ACL). Using ACL or RBAC a broker can be configured with topic permissions, and then at connection time, determine what topics and operations are allowed, and the allowed quality of services.

Access tokens provide an additional mechanism for scoping permissions for clients. Many token services are available, but the most commonly used is OAuth 2.0.

IoT Security Solutions

AES-256 Encrypt any data transmitted (wirelessly or by wire) using AES-256. AES is a symmetric alogrithm that uses a single shared secret key between the sender and the recipient. Use a Crypto Authentication Chip on the microcontroller to store and retrieve the AES ssecret key, and employ something equivalent on the recipient.
OTA Updates (over-the-air updates) must be sent cryptographically signed over a secure connection, and the recipient must check the signature of the update to insure it is valid and truly from the authorized sender.
Manage the updates of open-source software. &Nbsp;

[1] The disadvantage of the AES symmetric-key-based approach is that the number of keys increases exponentially with the number of parties involved. Group Size Vs. Symmetric Keys

Secure OTA

NervesHub — an extensible web service that allows you to manage over-the-air (OTA) firmware updates of devices. article