IoT セキュリティで重要な「認証鍵」どこに保管する？AWS IoT EduKit から学ぶ「セキュアエレメント」の役割と機能/Where does store an “important” credential

Transcript

1. IoT セキュリティで重要な「認証鍵」どこに保管する？ AWS IoT EduKit から学ぶ「セキュアエレメント」の役割と機能 Where does store an

   “important” credential? What to learn what is a secure element from AWS IoT EduKit. Nov. 20, 2021 JAWS PANKRATION 2021 Kohei “Max” MATSUSHITA / @ma2shita Technology Evangelist at Soracom, Inc.

2. Technology Evangelist at Soracom, Inc. Kohei MATSUSHITA "Max" Introduce IoT

   and SORACOM. In total, talks more than 400 times. And AWS Hero (of IoT, at 2020) Call me pls. Max @ma2shita

3. ソースネクスト株式会社 「POCKETALK Ⓡ 」 外国語での双方向コミュニケーショ ンを実現するAI通訳機。 グローバル通信搭載で、電源を 入れれば、世界中ですぐに利用可能。 導入事例 利用したSORACOMサービス：SORACOM

   Air （plan01s / planX1）チップ型SIM（eSIM）搭載 サービス * 対応言語の詳細は製品ウェブサイトをご確認ください 協力パートナー：JENESIS株式会社

4. Agenda AWS IoT EduKit ✓ ESP32 (Based on M5Stack Core2)

   ✓ FreeRTOS ✓ ATECC608A Trust&GO Secure Element ？

5. Cloud Sensors/Devices “Things” Network Digitalize Connecting Utilize the Data Digitalizing

   the Real World What is “IoT” ?

6. IoT Devices are deployed ANYWHERE !!

7. Cloud Network Sensors/Devices “Things” IoT Device has credentials for IoT

   resources for Connection for Cloud theft Unauthorized access

8. Minimize damage by policies on AWS IoT Core Limit topics

   to be published. (Similar AWS IAM policy.) But it's not perfectly...

9. Using an Encrypt filesystem in case of theft? https://www.slideshare.net/matoken/ext4fs https://vgough.github.io/encfs/

   Where does store the decrypt key? Oh... It’s looping!!!

10. IoT Devices need “Root of Trust”

11. Root of Trust and Secure Element Root of Trust (RoT;

    信頼の起点) A source that can be used as the initial starting point for authentication and/or encryption. Secure Element (SE) This is an implementation of RoT, an example is the IC card. • Hardware characteristic: Physical destruction will cause internal data to disappear. (Tamper resistant; 耐タンパー性) • Software characteristic: Internal data can be accessed only through established procedures. Hard to theft and duplicate.

12. TPM 2.0 # PC搭載セキュリティチップ （TPM）の 概要と最新動向

13. TPM 2.0 https://qiita.com/mune10/items/5f565fcd8f010179d529 https://qiita.com/mune10/items/cf45a296193bb78f5c5b Software based TPM for Raspberry Pi

    / Linux. (for testing...)

14. AWS IoT EduKit has a SE !! AWS IoT EduKit

    ✓ ESP32 (Based on M5Stack Core2) ✓ FreeRTOS ✓ ATECC608A Trust&GO Secure Element

15. ATECC608A Trust&GO Secure Element in Bottom module

16. ATECC608A is Microchip’s SE Ordinary ATECC608A The chip is Empty

    (空っぽ). X.509 certs. are generated your self using commands inside the chip. (自分で作る) ATECC608A Trust&Go The chip has a X.509 certs. that can be used for AWS IoT Core authentication. (出荷時に入ってる) Also called “Provisioned”. ATECC608A “Trust&Go” has a X.509 certs.

17. Get X.509 cert in “ATECC608A Trust&Go” via Python

18. AWS IoT Core supports client authentication 1. X.509 client certs.

    2. AWS IAM users (SigV4) 3. Amazon Cognito identities https://docs.aws.amazon.com/iot/latest/developerguide/client-authentication.html AWS IoT Core

19. AWS IoT Core ATECC608A Trust&Go supports new authentication methods 1.

    X.509 client certs. Method Overview Pros. Cons. 1-Click certs. AWS IoT provides client certificates that are signed by the Amazon Root CA. Very easy and faster. The private key and client certificate need to be transferred to the device. Generate using CSR Create a signing request (CSR) from the private key at hand (generated by the device) and request the IoT Core to sign it to get the client certificate. No need to transfer the private key. The client certificate need to be transferred to the device. Other Root CA Use a client certificate issued by another Root CA based on the private key at hand in the IoT Core. Can use "just in time registration" that feature for large number devices. Root CA registration is required before starting IoT Core operations. In addition, it is necessary to register the relevant client certificate before connecting the device. (Root CA operation too.) Register a client certificate signed by an unregistered CA Register with the IoT Core using only the client certificate. (Root CA registration is not required) Can start without a Root CA. it is necessary to register the relevant client certificate before connecting the device. X.509 certs. in "ATECC608A Trust&Go" can be used

20. Try “Register a client certificate signed by an unregistered CA”

    with OpenSSL and mosquitto https://qiita.com/ma2shita/items/23b91de6df70711119c7 Japanese... But we can use “DeepL” !!

21. Conclusion IoT devices are deployed ANYWHERE !! • Protect against

    theft. It has important credentials. • Don't forget to policies, too. Secure Element is good solution. • High tamper resistant, it can be used as RoT. • “Provisioned” SE has X.509 certs. that can be used for authentication of IoT Core. • Having said that, Hardware is HARD!! 🤔

22. More dive deep ...? https://ma2shita.medium.com/aws-iot-edukit-is-what- what-can-we-learn-from-it-96039238d712 https://qiita.com/ma2shita/items/dda457d178486a c0b94f SIM is

    Secure Element, too. How to use a SIM as RoT ? And more…

23. reTerminal also contains an ATECC608A ✓ Based on Raspberry Pi

    CM4 CM: Check it out !! 12/16 (JP) https://soracom.connpass.com/event/231689/

24. Secure Element, Yeah ! I know everything!! 完全に理解した! ご安全に IoT

    !! Safety IoT !!

25. You Create. We Connect.