The importance of identity in IoT
The identity of an Internet of Things (IoT) device is the aggregate information from all its sub-elements. A device has multiple building blocks: some of them are physical, others are logical. Building blocks are nested within other ones: the board is made up of the main applications processor, other processors such as graphics processing units (GPUs) and passives. The board has an identity and so do the application processors and the GPU. The software includes device drivers, hypervisors, virtual machines that host the operating systems and the applications. Each one of these elements has an identity.
Each element in the device, either physical or logical, has attributes. It may have been certified; it may have dependencies upon other elements. It may include data that represents a standardized identity such as an IP address or a MAC Address. In some cases, the element is a very secure container such as a SIM, or an eSIM or an iSIM that will represent an identity with the cellular operator and certain rights to the regulated airwaves.
Identity of these elements can change over time. IP Addresses and iSIM information can vary depending upon the operator that owns the resource that is accessed from the device. The device will update its software, new capabilities and applications get installed: they are rolled out within the framework of new hardware or software functions with their own provisioning materials and credentials. These new elements bring identity materials with attributes and they contribute to the overall identity of the device.
The device is a network of elements, some of them are nested within each other. Each element brings its own credentials to participate in the overall definition of the device’s identity. Each element may have a different third party that can validate its identity and attributes. Authentication of devices and their elements is a key function of identity. Claims based applications need to have an identity to authenticate themselves with secure applications and they will need a third party to authenticate their claims. The device becomes a complex system of elements relying on third parties for authentication.
The leading challenge of identity is the fragmentation of this concept. There are several standards-based identity schemes, for example: MAC address (IEEE), IP address (IETF) and Cellular SIM (GSMA or TCG/TPM). There are also de facto industry standards such as Android where one company can impose the architecture of the identity on an ecosystem. However, when it comes to applications, virtual machines, various hardware elements, there are no standards and the fragmentation of markets makes it challenging to define consistent identity schemes.
Without identity, trust cannot be established between systems. Tracking the identity of hardware and software parts on a board enables the customer to understand its source. When each actor handling an element in the device updates its attributes, security through traceability is greatly enhanced within the supply chain. A device where identity has been correctly implemented and tracked in all key elements can be trusted as all its parts are known.
Remote device attestation is a fundamental service that allows a remote device such as an IoT device, or other endpoint to prove itself to a relying party or a service. This allows the relying party to know some characteristics about the device and decide whether it trusts the device or not. This concept also applies to sub-elements of the device that need to demonstrate their identity before accessing services.
Remote attestation can underly other protocols and services that need to know about the trustworthiness of the device before proceeding. One example is biometric authentication where the biometric matching is done on the device. The relying party needs to know that the device is one that is known to do biometric matching correctly. Another example is content protection, where the relying party wants to know how the device will protect the data. This concept generalizes on to corporate enterprises that might want to know that a device is trustworthy before allowing corporate data to be accessed by it.
The notion of attestation is broad and may include, but is not limited to the following:
-
Proof of the make and model of the device hardware
-
Proof of the make and model of the processor, particularly for security-oriented chipsets
-
Measurement of the software running on the device
-
Configuration and state of the device
-
Environmental characteristics of the device such as its GPS location
To achieve this objective of consistent identity across the IoT marketplace, the industry defined the concept of Entity Attestation Token (EAT) which is being standardized within the Internet Engineering Task Force (IETF).
Cooperation is the key to solving the problem of Identity. Very few industry actors can impose their own identity norms on an industry. Participation in standards body is the key to success. Through cooperation and transparency, it is possible to define schemes that fit within global standards and meet security objectives.
The concept of Entity Attestation Tokens is based on CBOR tokens which are themselves standardized with the IETF with RFC 77049. Multiple data types can be supported. The format is compact enough that it can be implemented in small IoT devices. The attestation materials can be defined as claims. The EAT of the device can be composed of EATs for its sub-modules. Each entity creating an EAT can do so by the means of its dedicated root of trust. The attestation materials should be cryptographically verifiable by the relying party that will use the EAT.
However, the EAT only defines a high-level architecture describing the identity of an entity and its attributes. It becomes important to identity specific use cases and scenarios and create standardized profiles for EAT materials. This approach removes fragmentation as it lines up the industry behind one format for identity materials (EAT) and lets individual industries define specific standardized profiles. An example of such industry activity is the FIDO Alliance that is working on IoT Device Attestation/Authentication profiles to enable interoperability between relying parties and IoT devices.
Standardized identity profiles will considerably enhance the security of IoT systems. They will enable the traceability of all elements within the device as it goes through the full supply chain, all the way to the final user and consumer. They will facilitate forensics analysis. They enable the removal of passwords during onboarding operations. Finally, they will enable advanced functions such as the dynamic onboarding and the binding of devices to applications.
About the author:
Marc Canel is Vice President of Strategy – Security at Imagination Technologies – www.imgtec.com
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
