Telecoms, Datacoms, Wireless, IoT


Device identification’s critical role in IoT protection

22 November 2023 Telecoms, Datacoms, Wireless, IoT

A unique identity for IoT devices is a fundamental building block to ensure the secure and efficient operation of the IoT ecosystem. Each IoT device must have a unique identifier assigned during manufacturing or provisioning. This serves as the anchor for device identification, authentication, and communication.

Having a unique identity distinguishes each IoT device from others in the network, permitting precise identification and tracking. On the one hand, this enables efficient management, maintenance, and troubleshooting. The unique identity allows devices to be easily located, monitored, and updated, reducing operational complexities, and enhancing overall system reliability.

Device identity is also the basis for authentication and access control. Ensuring uniqueness is crucial to prevent unauthorised devices from masquerading as legitimate ones. Assigning a unique identity makes it possible to establish trust and ensure that only authorised devices can connect to the network. The unique identity also makes it possible to assign privileges for specific authenticated devices, to access resources or perform certain actions appropriate to their role, based on predefined policies. In this way, device identity provides protection against unauthorised access, data breaches, and potential malicious activities.

Assigning identity

Various strategies can be used to assign device identities, although critical requirements include consideration for scalability, interoperability, and robust security features. Scalability is increasingly important as the number of IoT devices grows exponentially. A suitable device identification scheme needs to be able to handle large numbers of devices, without sacrificing performance or security. Efficient management capabilities are also needed, such as device registration, provisioning, and revocation, to ensure easy administration of the device ecosystem.

One common approach to device identification is to assign Universally Unique Identifiers (UUIDs), also known as globally unique identifiers (GUIDs), during the manufacturing process, to be embedded in hardware or firmware. A common form of UUID is defined in ITU-T X.667 and ISO/IEC 9834-8. It comprises a 128-bit (16 octets) string expressed as hexadecimal digits with a hyphen separating the different fields. The coding includes a timestamp and the MAC address of the generating computer. An example may be: f81d4fae-7dec-11d0-a765-00a0c91e6bf6. Because there is no centralised authority for generating UUIDs, it is possible that two devices may share the same UUID, although the probability is extremely small.

The device identity will be the basis for the authentication and authorisation of the device, so this identity must have some properties. It must be immutable, non-falsifiable, and must also not be cloneable. For implementing these properties, some cryptographic techniques can be used employing asymmetric key pairs. The unique private keys are assigned during production, and securely stored on the device, while corresponding public keys are used for authentication and secure communication with other entities in the IoT ecosystem. One example is X.509 certificates.

X.509 is a standard format for public key certificates. Now adapted for Internet use, the certificates bind cryptographic key pairs to an entity’s identity. This facilitates strong authentication by verifying the identity of the certificate holder. The associated encryption and integrity mechanisms enable secure communication, ensuring authenticity, integrity, confidentiality, and protection against tampering or eavesdropping. Certificate authorities (CAs) hold the private encryption keys needed to issue and sign certificates and thus establish a chain of trust.

Managing identification and identities

There is no single organisation appointed to administer IoT device identities. Identity providers can vary, depending on the specific deployment and requirements of the IoT ecosystem. In practice, there is a multitude of providers that offer services for managing IoT device identities and authentication.

Different organisations or platforms may provide their own identity solutions tailored for IoT, and they can act as identity providers for their respective IoT devices. They may offer additional, related services like device registration, authentication, access control, and other identity management functionalities.

Popular identity providers include well-known cloud computing and IoT service providers. IoT solutions deployed on their platforms may use their services to handle device identity management. On the other hand, well-known certificate authorities (CAs) such as DigiCert, GlobalSign, and Keyfactor offer IoT identity and security solutions. These include the management of X.509 certificates.

In addition, manufacturers of ICs such as microcontrollers offer solutions that allow them to act as IoT device certificate authorities. The devices integrate hardware-based security features, such as secure storage, cryptographic algorithms, and key management capabilities that allow the manufacturer to act as a CA, and so issue and manage X.509 certificates for IoT devices directly on the microcontroller. Using such solutions can simplify the integration of secure identities into IoT devices and enhance the overall security of IoT ecosystems.

Alternatively, device identity can be assigned during provisioning, as the device is configured for attachment to the network. The identity can be securely generated within a secure element or trusted platform module (TPM), which may be included as part of the IoT device’s circuitry. The associated cryptographic keys are then securely provisioned.

Otherwise, a unique identifier can be generated from a combination of factors such as a device-specific hardware attribute, random number, or cryptographic hash. The generated identifier is stored securely in the device’s memory or associated with the device record in an identity management system.

Another approach is for the device to obtain its identity dynamically during the provisioning process. In this case, the device may communicate with an identity provider or backend system during initial setup or registration and receive a unique identifier assigned by the provisioning system.

Conclusion

Assigning a unique identity to IoT devices is essential to enable the deployment to function properly and to ensure security by excluding unauthorised or unknown devices. Given the nature of typical IoT applications, which is to capture vast quantities of data from large numbers of connected devices, scalability is a critical requirement of any identification scheme. In addition, consideration for device registration, provisioning, and revocation is required.

The identity of a device can be assigned at manufacture or during provisioning, as the device is configured and set up within the system. A number of approaches are available, including assigning UUIDs and using cryptographic techniques like X.509 certificates, which may be administered by the device manufacturer, IoT platform host, or various other trusted entities.

With the help of the product modification capabilities in its programming centres, Avnet Silica offers a range of services that include identity injection, or identity collection, depending on the products and use cases, and can ship identifiable parts to the contracts manufacturers and send the list of identities (a.k.a. whitelists) to customers.


Credit(s)



Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Harnessing IoT for the future of agriculture
Telecoms, Datacoms, Wireless, IoT
As the agricultural landscape becomes more complex, there is a need for adopting scalable and adaptable connectivity solutions.

Read more...
Wireless LTE connectivity
Otto Wireless Solutions Telecoms, Datacoms, Wireless, IoT
Links Field Network’s focus is international roaming data, and by leveraging their holding company’s international footprint and pricing structure, Links Field Networks South Africa works closely with their local shareholder to offer fully connected devices, regardless of where it is to be used globally.

Read more...
Evolution of the connected healthcare system
Concilium Technologies Telecoms, Datacoms, Wireless, IoT
The combination of advances in the Internet of Things (IoT), artificial intelligence (AI), machine learning (ML), and cloud services impact the changes you see in healthcare today.

Read more...
RF agile transceiver
Altron Arrow Telecoms, Datacoms, Wireless, IoT
The AD9361S-CSL from Analog Devices is a high performance, highly integrated, RF agile transceiver designed for use in 3G and 4G applications operating up to 6 GHz.

Read more...
Compact MCU with advanced customisation
Future Electronics Telecoms, Datacoms, Wireless, IoT
The Microchip PIC16F13145 is the ideal solution for designs with minimal logic and configurable analogue I/O, featuring rapid comparators for improved data acquisition.

Read more...
2 GHz RF amplifier
RF Design Telecoms, Datacoms, Wireless, IoT
The GRF9461 from Guerrilla RF is an RF gain block that operates from 40 MHz to 2,0 GHz and provides a gain of 19,8 dB with a noise figure of 1,8 dB.

Read more...
AFE enables the software-defined factory
Avnet Silica Analogue, Mixed Signal, LSI
With its software configurable analogue inputs, where each input can be configured for voltage, current, resistance, or temperature, NXP’s N-AFE enables a new level of flexibility.

Read more...
How will Matter help us meet the smart home promise?
Avnet Silica Editor's Choice Telecoms, Datacoms, Wireless, IoT
From door locks to fridges, robot vacuum cleaners to security cameras, using Matter should mean consumers only need one app and controller to manage and monitor all the smart devices in their homes, instead of one per ecosystem.

Read more...
Easy monitoring of remote farm assets
CST Electronics Telecoms, Datacoms, Wireless, IoT
NeoCortec, providers of ultra-low-power bi-directional wireless mesh network hardware and software solutions, is working together with farmIT to enable easy monitoring of remote Australian farm assets.

Read more...
All-new NarrowBand-Internet of Things platform
RF Design Telecoms, Datacoms, Wireless, IoT
Cavli’s C42GM is an LTE CAT M/NB1/NB2 compatible IoT-Smart Module that comes with an integrated eSIM (MMF2) provision resulting in its globe roaming capability.

Read more...