信頼の起点) A source that can be used as the initial starting point for authentication and/or encryption. Secure Element (SE) This is an implementation of RoT, an example is the IC card. • Hardware characteristic: Physical destruction will cause internal data to disappear. (Tamper resistant; 耐タンパー性) • Software characteristic: Internal data can be accessed only through established procedures. Hard to theft and duplicate.
(空っぽ). X.509 certs. are generated your self using commands inside the chip. (自分で作る) ATECC608A Trust&Go The chip has a X.509 certs. that can be used for AWS IoT Core authentication. (出荷時に入ってる) Also called “Provisioned”. ATECC608A “Trust&Go” has a X.509 certs.
X.509 client certs. Method Overview Pros. Cons. 1-Click certs. AWS IoT provides client certificates that are signed by the Amazon Root CA. Very easy and faster. The private key and client certificate need to be transferred to the device. Generate using CSR Create a signing request (CSR) from the private key at hand (generated by the device) and request the IoT Core to sign it to get the client certificate. No need to transfer the private key. The client certificate need to be transferred to the device. Other Root CA Use a client certificate issued by another Root CA based on the private key at hand in the IoT Core. Can use "just in time registration" that feature for large number devices. Root CA registration is required before starting IoT Core operations. In addition, it is necessary to register the relevant client certificate before connecting the device. (Root CA operation too.) Register a client certificate signed by an unregistered CA Register with the IoT Core using only the client certificate. (Root CA registration is not required) Can start without a Root CA. it is necessary to register the relevant client certificate before connecting the device. X.509 certs. in "ATECC608A Trust&Go" can be used
theft. It has important credentials. • Don't forget to policies, too. Secure Element is good solution. • High tamper resistant, it can be used as RoT. • “Provisioned” SE has X.509 certs. that can be used for authentication of IoT Core. • Having said that, Hardware is HARD!! 🤔