Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IoT セキュリティで重要な「認証鍵」どこに保管する?AWS IoT EduKit から学ぶ「セキュアエレメント」の役割と機能/Where does store an “important” credential

SORACOM
November 20, 2021

IoT セキュリティで重要な「認証鍵」どこに保管する?AWS IoT EduKit から学ぶ「セキュアエレメント」の役割と機能/Where does store an “important” credential

2021年11月20日~21日開催、JAWS PANKRATION 2021 にて、ソラコム松下が発表した「IoT セキュリティで重要な "認証鍵" どこに保管する?AWS IoT EduKit から学ぶ "セキュアエレメント" の役割と機能」の資料です。

グローバルイベントのため、スライドは英語です。

SORACOM

November 20, 2021
Tweet

More Decks by SORACOM

Other Decks in Technology

Transcript

  1. IoT セキュリティで重要な「認証鍵」どこに保管する? AWS IoT EduKit から学ぶ「セキュアエレメント」の役割と機能 Where does store an

    “important” credential? What to learn what is a secure element from AWS IoT EduKit. Nov. 20, 2021 JAWS PANKRATION 2021 Kohei “Max” MATSUSHITA / @ma2shita Technology Evangelist at Soracom, Inc.
  2. Technology Evangelist at Soracom, Inc. Kohei MATSUSHITA "Max" Introduce IoT

    and SORACOM. In total, talks more than 400 times. And AWS Hero (of IoT, at 2020) Call me pls. Max @ma2shita
  3. ソースネクスト株式会社 「POCKETALK Ⓡ 」 外国語での双方向コミュニケーショ ンを実現するAI通訳機。 グローバル通信搭載で、電源を 入れれば、世界中ですぐに利用可能。 導入事例 利用したSORACOMサービス:SORACOM

    Air (plan01s / planX1)チップ型SIM(eSIM)搭載 サービス * 対応言語の詳細は製品ウェブサイトをご確認ください 協力パートナー:JENESIS株式会社
  4. Agenda AWS IoT EduKit ✓ ESP32 (Based on M5Stack Core2)

    ✓ FreeRTOS ✓ ATECC608A Trust&GO Secure Element ?
  5. Cloud Network Sensors/Devices “Things” IoT Device has credentials for IoT

    resources for Connection for Cloud theft Unauthorized access
  6. Minimize damage by policies on AWS IoT Core Limit topics

    to be published. (Similar AWS IAM policy.) But it's not perfectly...
  7. Root of Trust and Secure Element Root of Trust (RoT;

    信頼の起点) A source that can be used as the initial starting point for authentication and/or encryption. Secure Element (SE) This is an implementation of RoT, an example is the IC card. • Hardware characteristic: Physical destruction will cause internal data to disappear. (Tamper resistant; 耐タンパー性) • Software characteristic: Internal data can be accessed only through established procedures. Hard to theft and duplicate.
  8. AWS IoT EduKit has a SE !! AWS IoT EduKit

    ✓ ESP32 (Based on M5Stack Core2) ✓ FreeRTOS ✓ ATECC608A Trust&GO Secure Element
  9. ATECC608A is Microchip’s SE Ordinary ATECC608A The chip is Empty

    (空っぽ). X.509 certs. are generated your self using commands inside the chip. (自分で作る) ATECC608A Trust&Go The chip has a X.509 certs. that can be used for AWS IoT Core authentication. (出荷時に入ってる) Also called “Provisioned”. ATECC608A “Trust&Go” has a X.509 certs.
  10. AWS IoT Core supports client authentication 1. X.509 client certs.

    2. AWS IAM users (SigV4) 3. Amazon Cognito identities https://docs.aws.amazon.com/iot/latest/developerguide/client-authentication.html AWS IoT Core
  11. AWS IoT Core ATECC608A Trust&Go supports new authentication methods 1.

    X.509 client certs. Method Overview Pros. Cons. 1-Click certs. AWS IoT provides client certificates that are signed by the Amazon Root CA. Very easy and faster. The private key and client certificate need to be transferred to the device. Generate using CSR Create a signing request (CSR) from the private key at hand (generated by the device) and request the IoT Core to sign it to get the client certificate. No need to transfer the private key. The client certificate need to be transferred to the device. Other Root CA Use a client certificate issued by another Root CA based on the private key at hand in the IoT Core. Can use "just in time registration" that feature for large number devices. Root CA registration is required before starting IoT Core operations. In addition, it is necessary to register the relevant client certificate before connecting the device. (Root CA operation too.) Register a client certificate signed by an unregistered CA Register with the IoT Core using only the client certificate. (Root CA registration is not required) Can start without a Root CA. it is necessary to register the relevant client certificate before connecting the device. X.509 certs. in "ATECC608A Trust&Go" can be used
  12. Try “Register a client certificate signed by an unregistered CA”

    with OpenSSL and mosquitto https://qiita.com/ma2shita/items/23b91de6df70711119c7 Japanese... But we can use “DeepL” !!
  13. Conclusion IoT devices are deployed ANYWHERE !! • Protect against

    theft. It has important credentials. • Don't forget to policies, too. Secure Element is good solution. • High tamper resistant, it can be used as RoT. • “Provisioned” SE has X.509 certs. that can be used for authentication of IoT Core. • Having said that, Hardware is HARD!! 🤔
  14. reTerminal also contains an ATECC608A ✓ Based on Raspberry Pi

    CM4 CM: Check it out !! 12/16 (JP) https://soracom.connpass.com/event/231689/