or, How to put the S (for Security) in IoT
This presentation looks at how the hardware element of the Internet Of Things provides a secure channel for certificate distribution, rendering tractable previously rather difficult problems of key distribution.
We have become used to the concept of servers using TLS certificates to provide authentication and confidentiality. But it is quite rare to use the authentication mechanisms of TLS to identify the client to the server. The difficulty has always been key distribution. In TLS server certification we use offline verification, or, in the case of services like LetsEncrypt, (ab)use DNS as a verification mechanism. Client key management is problem at a larger scape. It’s arguable that the state of the art in distributing cryptographic keys to clients has been surreptitiously exchanging briefcases while ostensibly feeding pigeons at a park-bench.
The Internet of Things (IoT), that is the proliferation of low-cost autonomous mobile computing devices, further worsens the problem of scale. We expect thousands of human users per server, and now we can expect hundreds or thousands of computing devices per human. Distributing all these keys via park benches can only lead to a crisis of pigeon obesity.
But IoT gives us a solution along with the problem. The device itself becomes the briefcase in which the client key is transported.
At Accelerando, we (ab)use traditional datacentre automation tools (our choice is SaltStack) to create client software images, to generate and provision keys, and then to enrol and manage TLS client certificates.
This allows an assembly-line process that delivers unique client keys to the field without endagering a single pigeon.