Edge Computing Security: Device Attestation Basic Building Blocks
This post is part 2 of the series. Read part 1 here.
Although security has been and will continue to be a concern for IoT and Edge deployments for a long time, the tools and technologies needed to implement a sensible device attestation approach are available now. They are stable and mature for most use cases.
For this introduction to the topic, we decided to describe a device attestation blueprint based on open standards and best practices in IoT and Edge Computing solutions focusing on higher-value assets, as typically found in industrial and transportation applications. This blueprint requires some fundamental technology building blocks to be selected first:
• A viable solution for authentication that scales well is leveraging (x.509) certificates in combination with a Public Key Infrastructure (PKI), technologies well understood and widely used in enterprise IT environments.
• For the hardware-protected root of trust in the edge device, a TPM 2.0 (Trusted Platform Module) is a choice found in many edge hardware designs. Other technology options may provide alternatives depending on the specific application requirements.
Highly trusted and widely adopted, PKI (Public Key Infrastructure) is one of the strongest authentication mechanisms, leveraged in many ITC applications, from banking to digital signing of documents, from user login to IT systems to IoT device attestation. PKIs, implementing a Certificate Authority as a central element, are used for digital certificate lifecycle management and their creation, distribution, revocation, and validation at scale.
These digital (PKI) certificates are data structures that bind an identity to a cryptographic key using a digital signature. The term X.509 stands for a dominantly used standard in digital certificates, defining the structure and format of digital (public key) certificates. In short: a PKI certificate represents a solid cryptographic basis for a trusted digital identity.
Several established players play a structural role as (Internet) certificate authorities and providers of identity services, such as GlobalSign, which offers a wide array of products and related services.
Device identities and credentials are only as secure as the methods used to create and protect them. Secure crypto-processors and storage like Trusted Platform Modules (TPMs) are becoming an important element in edge computing systems; some desktop operating systems also started requiring them. A TPM is a highly standardized security hardware module, a secure crypto-processor, designed to protect the integrity and authenticity of devices. It is designed to carry out cryptographic operations, includes features to make it tamper-resistant, and is used to generate, store, and protect the use of cryptographic keys and certificates.
TPMs are based on specifications conceived and maintained by the Trusted Computing Group (TCG), currently the TPM Library Specification 2.0. Several manufacturers, including Infineon with its OPTIGA™ product family, offer TPM 2.0 chips.
In our next post, we will describe how these elements, with a well-designed certificate hierarchy, are coming together in the technology blueprint.
All Edge of Things contributors belong to Eclipse Foundation member organizations or are Foundation staff. The contributors to this particular post are Robert Andres (Eurotech), Frédéric Desbiens (Eclipse Foundation), and Kilton Hopkins (Edgeworx).
