A unique identity for IoT devices is a fundamental building block to ensure the secure and efficient operation of the IoT ecosystem. Each IoT device must have a unique identifier assigned during manufacturing or provisioning. This serves as the anchor for device identification, authentication, and communication.
Having a unique identity distinguishes each IoT device from others in the network, permitting precise identification and tracking. On the one hand, this enables efficient management, maintenance, and troubleshooting. The unique identity allows devices to be easily located, monitored, and updated, reducing operational complexities, and enhancing overall system reliability.
Device identity is also the basis for authentication and access control. Ensuring uniqueness is crucial to prevent unauthorised devices from masquerading as legitimate ones. Assigning a unique identity makes it possible to establish trust and ensure that only authorised devices can connect to the network. The unique identity also makes it possible to assign privileges for specific authenticated devices, to access resources or perform certain actions appropriate to their role, based on predefined policies. In this way, device identity provides protection against unauthorised access, data breaches, and potential malicious activities.
Various strategies can be used to assign device identities, although critical requirements include consideration for scalability, interoperability, and robust security features. Scalability is increasingly important as the number of IoT devices grows exponentially. A suitable device identification scheme needs to be able to handle large numbers of devices, without sacrificing performance or security. Efficient management capabilities are also needed, such as device registration, provisioning, and revocation, to ensure easy administration of the device ecosystem.
One common approach to device identification is to assign Universally Unique Identifiers (UUIDs), also known as globally unique identifiers (GUIDs), during the manufacturing process, to be embedded in hardware or firmware. A common form of UUID is defined in ITU-T X.667 and ISO/IEC 9834-8. It comprises a 128-bit (16 octets) string expressed as hexadecimal digits with a hyphen separating the different fields. The coding includes a timestamp and the MAC address of the generating computer. An example may be: f81d4fae-7dec-11d0-a765-00a0c91e6bf6. Because there is no centralised authority for generating UUIDs, it is possible that two devices may share the same UUID, although the probability is extremely small.
The device identity will be the basis for the authentication and authorisation of the device, so this identity must have some properties. It must be immutable, non-falsifiable, and must also not be cloneable. For implementing these properties, some cryptographic techniques can be used employing asymmetric key pairs. The unique private keys are assigned during production, and securely stored on the device, while corresponding public keys are used for authentication and secure communication with other entities in the IoT ecosystem. One example is X.509 certificates.
X.509 is a standard format for public key certificates. Now adapted for Internet use, the certificates bind cryptographic key pairs to an entity’s identity. This facilitates strong authentication by verifying the identity of the certificate holder. The associated encryption and integrity mechanisms enable secure communication, ensuring authenticity, integrity, confidentiality, and protection against tampering or eavesdropping. Certificate authorities (CAs) hold the private encryption keys needed to issue and sign certificates and thus establish a chain of trust.
Managing identification and identities
There is no single organisation appointed to administer IoT device identities. Identity providers can vary, depending on the specific deployment and requirements of the IoT ecosystem. In practice, there is a multitude of providers that offer services for managing IoT device identities and authentication.
Different organisations or platforms may provide their own identity solutions tailored for IoT, and they can act as identity providers for their respective IoT devices. They may offer additional, related services like device registration, authentication, access control, and other identity management functionalities.
Popular identity providers include well-known cloud computing and IoT service providers. IoT solutions deployed on their platforms may use their services to handle device identity management. On the other hand, well-known certificate authorities (CAs) such as DigiCert, GlobalSign, and Keyfactor offer IoT identity and security solutions. These include the management of X.509 certificates.
In addition, manufacturers of ICs such as microcontrollers offer solutions that allow them to act as IoT device certificate authorities. The devices integrate hardware-based security features, such as secure storage, cryptographic algorithms, and key management capabilities that allow the manufacturer to act as a CA, and so issue and manage X.509 certificates for IoT devices directly on the microcontroller. Using such solutions can simplify the integration of secure identities into IoT devices and enhance the overall security of IoT ecosystems.
Alternatively, device identity can be assigned during provisioning, as the device is configured for attachment to the network. The identity can be securely generated within a secure element or trusted platform module (TPM), which may be included as part of the IoT device’s circuitry. The associated cryptographic keys are then securely provisioned.
Otherwise, a unique identifier can be generated from a combination of factors such as a device-specific hardware attribute, random number, or cryptographic hash. The generated identifier is stored securely in the device’s memory or associated with the device record in an identity management system.
Another approach is for the device to obtain its identity dynamically during the provisioning process. In this case, the device may communicate with an identity provider or backend system during initial setup or registration and receive a unique identifier assigned by the provisioning system.
Assigning a unique identity to IoT devices is essential to enable the deployment to function properly and to ensure security by excluding unauthorised or unknown devices. Given the nature of typical IoT applications, which is to capture vast quantities of data from large numbers of connected devices, scalability is a critical requirement of any identification scheme. In addition, consideration for device registration, provisioning, and revocation is required.
The identity of a device can be assigned at manufacture or during provisioning, as the device is configured and set up within the system. A number of approaches are available, including assigning UUIDs and using cryptographic techniques like X.509 certificates, which may be administered by the device manufacturer, IoT platform host, or various other trusted entities.
With the help of the product modification capabilities in its programming centres, Avnet Silica offers a range of services that include identity injection, or identity collection, depending on the products and use cases, and can ship identifiable parts to the contracts manufacturers and send the list of identities (a.k.a. whitelists) to customers.
|+27 11 319 8600
|+27 11 319 8650
|More information and articles about Avnet Silica
© Technews Publishing (Pty) Ltd | All Rights Reserved