TrustCentral’s proprietary technology for IoT device security and management aligns with accepted network security principles of:
- Authentication (device identity)
- Authorization (device privileges)
- Accounting (device usage, activity parameters, etc.)
TrustCentral’s technology is particularly appropriate for limited-resource IoT devices that:
- Shouldn’t be expected to make complex decisions
- Should be armed with appropriate tools to support their own security
- Need to be able to operate in hostile environments
- Need to authenticate each of the limited number of paired endpoints with which they communicate
- Need to operate within precise rules of authorization and privilege
- Need their data and activities to be accounted for
DEVELOPING INDUSTRY STANDARDS
Over recent years technology elements (we identify five of them, each provided by others) have been being developed/refined in support of the authentication IoT devices. An ecosystem of interrelated technologies are becoming aligned to achieve this.
BUILT ON PKI
These complimentary technologies are being established on a common foundation of Public Key Infrastructure (PKI). Beyond PKI, these integrated foundational elements include a device root of trust, certificate based authentication, security best practices and anomaly detection/failure reporting.
Authorization is the process that determines what an authenticated device can and cannot do relative to other devices and endpoints. Authorization works hand-in-hand with authentication. TrustCentral’s primary value-added for the support of AAA for IoT is its proprietary technology for device authorization, privileges, etc.
In order to support IoT device authentication, a core TrustCentral proprietary feature builds upon the previously identified ecosystem of authentication elements through the establishment, authentication and authorization of secure communication lines (i.e., relationships) between endpoints.
In general, the basic unit of IoT device communication is a pair: either between two endpoints or between an endpoint and an authorized group. The actions of IoT devices (particularly insecure actions) is often centered around their unauthorized or improper communication with other endpoints. Communication lines support authorized device interactions.
ATTRIBUTE AUTHORITY, ATTRIBUTE CERTIFICATES
TrustCentral’s innovative IP for IoT is built on of the cryptographic standards of Public Key Infrastructure (PKI) and Privilege Management Infrastructure (PMI). Communication line paired relationships are authenticated with PMI attribute certificates that also authorize device privileges and rules. TrustCentral’s proprietary use of PKI and PMI provides IoT devices with simple, easy to follow and precise instructions at the device level that are appropriate for such limited-resource devices.
TrustCentral’s proprietary Attribute Authority acts as a Trusted Third Party mediating service provider for users/devices and performs many unique functions. Two of the major roles of the Attribute Authority are:
- Running an Inviter-Invitee Protocol to authenticate communication lines between paired endpoints (which establish and make known the channels on which communication must flow)
- Generating signed attribute certiﬁcates that are associated with an endpoint identity or with a specific communication line shared by a pair of endpoints. These certificates authenticate and authorize the relationships of endpoints that receive and transmit to and from each other (or with groups) together with associated privileges, rules and authorizations.
Networks may implement the solution by authenticating, pairing and authorizing each device as it goes into service. What could otherwise end up being a complex network of IoT devices, may become instead a network of specifically white-listed device-relationships that is enforced and secured by a combination of PKI and attribute certificates. The result will be an exact, precise, auditable and secure network of IoT devices.
USE CASE EXAMPLE: this technology will not only support IoT device security and management, but also offer DDoS mitigation at the device level.
USE CASE EXAMPLE: a component of vehicle A may be able to distinguish that it is receiving a command or query from a component of vehicle A as opposed to a component of vehicle B, and may be able to ascertain the legitimacy of the command or query as coming from a drive component as opposed to coming from an entertainment system component so that appropriate authorization and/or confidential isolation can be achieved even within the same vehicle.
The system will include capabilities to monitor and record each device’s activity. The system has been designed with layered auditability measures and makes extensive use of digital signing, thus providing support for granular accounting metrics.
In a published paper he wrote for the IEEE, Dr. Kravitz stated this about IoT device data: “Trusted transactions require trusted provenance”. In that paper he makes the case that TrustCentral’s technology can be used to solve the challenge of authenticating and trusting IoT device data (and accounting for it in the process). For more information, see Enhancing Blockchain (which provides immutability but not correctness): “Trusted transactions require trusted provenance”