Atmel : Introducing a proven method for securing intelligent IoT edge nodes – CryptoAuthentication™


Fig. 1: Even when the channel is secure, attackers can access the network through unsecured nodes

In assessing IoT ecosystem management techniques and network vulnerability, developers’ focus is today on the most fundamental element: the edge node. Otherwise known as the ‘things’ in the Internet of Things, these edge nodes are the sensors and actuators which provide the data for the IoT, and carry instructions from the cloud or from a user interacting via a computer, mobile phone, in-car system, smart appliance or other platform.

These nodes sit at the edge of an IoT network, an ecosystem of connected devices which could be manufactured by a wide range of vendors. This raises the important question of the most effective way to control access to this ecosystem, and to prevent sub-standard or malicious devices from degrading the customer’s experience.

The difficulty from a technical point of view is that edge nodes are usually small, intelligent devices which, for cost reasons, have very limited resources. It is often incorrectly believed that they have a limited vulnerability to attack. Indeed, the servers they talk to and the networks that connect them benefit from well established security technologies.

However the edge nodes commonly do not, at least, not yet.

The proper function of encryption

So what is the most effective way to achieve the effective protection of these resource-constrained devices? System engineers commonly make the mistake of equating encryption with security; in fact, encryption is just one part of an effective security system.

One of the first things that must be done to create a secure environment is to reliably discover and prove the identity of elements that are connected to the network. It is essential to first determine who wants to connect to the network: without first performing authentication, the only thing that encryption technologies such as Transport Layer Security (TLS) can do is to protect an entity which is not supposed to be on the network, as shown in Figure 1 (above).

In IoT nodes, TLS is also used to create a secure connection, such as to the cloud. But to be truly secure, an IoT node must also implement application-layer security. That means that the node itself, and not just the communication channel the node uses, should be authenticated. In addition to channel authentication, encryption and data integrity should be established at the application layer to protect the data flowing through the pipe.

Implementing reliable security in resource-constrained devices

IoT devices are often very small and simple, and little or no human interaction may be required for their operation. The automated nature of an IoT device’s functions tends to prompt system designers to ask important questions about the nature of the security apparatus they require. They commonly ask:
• How is it possible to know that an IoT device is trustworthy?
• How is it possible to be certain that an object connected to the network is an IoT device at all, and is not in fact a malicious device pretending to be an IoT node?

Those with responsibility for designing or operating an IoT network, then, tend to have real and pressing concerns about the vulnerability of their infrastructure. End users, on the other hand, are frequently blissfully ignorant about the risks posed by the presence of unsecured nodes on an IoT network.

Users will commonly ask:
• What’s the problem if a stranger knows what temperature setting my connected smart home thermostat is set to?
• Who cares if a stranger finds out remotely that the lights in my house are on?
• Why does it matter if a stranger knows how many steps are logged in my pedometer?

For some individual users, such breaches of privacy might genuinely be trivial. But this is to miss the real risk associated with impaired or incomplete security at the network level.
Here, it is important to consider not only the data on the device, but the data and systems that the device provides or has access to on the network.

In fact, history shows that several high-profile data breaches have been accomplished by spoofing the identity of unsecured network nodes. In these cases, malicious entities were able to get onto companies’ networks by pretending to be an IoT node. And once inside the network, security normally becomes much weaker: the attackers were then able to gain access to their victims’ customer databases and damage industrial processes. By breaching IoT network security, attackers can also access cloud services, and potentially even access nodes and control their operation.

It is clear, then, that authentication of every node, to confirm its identity, is a crucially important element of IoT network security.

While existing internet security technologies such as the Secure Sockets Layer (SSL) transport protocol and TLS can protect communications channels between an uncompromised edge node and a server, they are not invincible. And SSL/TLS protection does not help if an attacker takes control of an edge node.

In fact, tight security for IoT edge nodes involves three fundamental elements, which may be denoted by the acronym CIA:
• Confidentiality – data, whether stored or in transit in a message, should be visible only by authorised persons
• Integrity – a message sent should not change on its way to its destination
• Authenticity – the user must have confidence that the identity of the sender of a message can be trusted

Various technologies can be used to implement these three elements of network security, but common among them is the use of secret or private keys which serve as part of a unique, verifiable identification tag. And the way that these keys are managed – their storage and communication – determines the security of a system.

The challenge is to implement edge-node security while remaining within the narrow limits of the computing, memory and power resources available to the node, as well as within a cost budget. Once a node or device is proven to be trusted, a myriad of other benefits can be fully realised, as shown in Figure 2. These include secure communications, ecosystem control, and secure storage.


Fig. 2: Numerous benefits become available to a node the identity of which has been verified

By providing a cryptographically verifiable, hardware-secured identity for edge-node devices, system designers can ensure that these devices comply with all required standards and do not present a risk to the entire network ecosystem.

In practice, this means taking the following steps:
• Identification – prove the identity of any visitors coming in over the network
• Authenticity – authenticate any accessories that try to attach to a node
• Confidentiality – encrypt messages
• Integrity – append a Message Authentication Code (MAC) to all messages to prove that no one has altered the message in transit

In addition, steps can be taken to protect a node from proximity or side channel attacks. They can be implemented on the entire system, or just on a key sub-system.
• Store keys in protected hardware so that there is no electrical access to the key
• Shield the system to prevent electromagnetic emissions from divulging key information
• Add circuitry specifically to confound attempts to monitor power or other signals. This may include dummy counters or circuits with some element of randomness to scramble useful information.
• Encrypt the key in storage. Even though the key may be electrically inaccessible, a determined attacker may try to strip away layers of the device to see into embedded Flash memory and retrieve the key that way. Encryption neutralises this attack.
• Eliminate unnecessary ports

It is also important to protect keys during the entire manufacturing process. The use of hardware security modules which store the keys in encrypted format and in protected hardware is an excellent and proven methodology.


Fig. 3: The Atmel® ATECC508A is a member of the Atmel
CryptoAuthentication family of crypto-engine authentication devices with highly secure hardware-based key storage

ICs with trusted security capability
Security is fundamental for the successful adoption of the IoT. Edge nodes are currently the weakest link in ensuring IoT security; the protection of cryptographic keys secures these edge
nodes. And the best way to achieve lock down is through the use of protected hardware.

The Atmel CryptoAuthentication™ family of cryptographic elements provides a rock-solid means of storing keys in protected hardware and managing those keys to achieve multi-layer security, as shown in Figure 3. The broad Atmel portfolio of microcontrollers, wireless devices, and cryptographic elements brings state-of-the-art intelligence to enable users to securely connect devices to the IoT and beyond.