incorporated strong security as a key

part of its makeup.

For it to be able to access the cellular

wireless network, every phone must

include a subscriber identity module

(SIM) that provides the means

for operators to authenticate and

communicate with the handset or

device. A similar hardware construct

is the Trusted Processor Module (TPM)

originally developed for personal

computers and now used in embedded

products such as point-of-sale (POS)

terminals. At the heart of these

modules is the public key infrastructure

(PKI) architecture. It is an architecture

that provides number of facilities to

support the various security needs of

IoT devices and has begun to appear

not just in devices developed for

phones and PCs but leaner embedded

systems.

PKI revolves around the concept of

asymmetric cryptography, in which

documents and other software objects

are signed and checked using a

combination of private and public keys.

The mathematics of PKI relies on the

inability to easily derive a private key

from an associated public key. The

public key may be disseminated freely.

The private key needs to be protected.

Within an embedded device, a securely

made cryptoprocessor with protected

memory provides the ideal substrate.

One example is the PIC24FJ128GB204

with 128KB of onchip RAM and

hardware cryptographic support. It is

a member of the PIC24F GB2 family

of microcontrollers made by Microchip

Technology.

A key facility of a hardware trust

module processor is to ensure that

when the device boots it is running only

authorised code and that an unknown

outsider has not compromised it. This

is known as secure boot. When the

device starts up and reads the code

from onboard read-only memory

(ROM) it checks that each major

segment has been signed by an

authorised supplier. The supplier uses

a private key to sign the code block.

This signing process creates a one-

way hash of the code itself combined

with the private key. The hardware

trust component examines the hash to

check it for authenticity. Any changes

to the codebase need to be signed

using an appropriate key that the trust

module checks before installation or

update continues.

If the device encounters a block of

code that is incorrectly signed, it

will typically block the loading of the

affected software and may move into a

recovery state that attempts to obtain

authorised code from the original

supplier – possibly reverting to factory

code stored in ROM – and send an

alert if, it is able, to a server.

Although it is possible to implement

some forms of secure boot without a

hardware trust module, it is hard to

ensure that the boot process will halt

correctly if the hacker has penetrated

far enough into the firmware. The

processor in the hardware trust module

can enforce security by performing

decryption of key parts of the firmware

on behalf of the host processor only

if the hash is correct and to refuse

decryption service to any software

component that does not have a

correct hash or key. With the ability

to protect onchip keys and prevent

them being changed or read out by an

attacker, Microsemi’s range of flash-

based FPGAs, such as the SmartFusion

2, can be used to support secure-boot

and other security functions.

Once the device has booted correctly,

it can authenticate itself to the

network using PKI mechanisms.

Typically, the device will set up secure

communications using a protocol such

as Transport Layer Security (TLS),

an adjunct to the commonly used

HyperText Transfer Protocol (HTTP).

Digitally signedcertificates storedwithin

the hardware trust module provide

remote servers with the confidence

that they are communicating with a

known resource. The actual certificate

is stored within the trust module so

that only publicly accessible data is

supplied over the network and the

device’s own internal bus to prevent

hackers from being able make use of

eavesdropping techniques.

Without a hardware trust module,

the hacker may be able to use a logic

analyser or other instrument to probe

the memory of the device and obtain

the secret keys and certificates that

can then be used to spoof the network

servers.

Conversely, the IoT device needs to be

sure that it is taking commands only

from other devices or servers that it

can trust. By having the hardware trust

module check the certificates of those

other devices against keys stored in

protected memory the device can

ensure it is communicating only with

authorised systems.

As service profiles will change over

time, the use of PKI exchanges allows

certificates to be added or deleted. This

ensures not only that services can be

enhanced over time but other systems

that are no longer part of the network

or which are known to be compromised

can be taken off the trusted list.

By taking advantage of the experience

and technological infrastructure

that has been developed for mobile

telephony and computing, IoT

manufacturers can gain a head start

in providing a secure base for their

products. The availability of devices

such as members of Microchip’s

PIC24 GB2 family and the flash-based

FPGAs from Microsemi provides IoT

manufacturers with easy access to

those technologies, giving them a solid

foundation for the secure IoT.

IoT

Special Edition

New-Tech Magazine Europe l 55