TrustCentral’s Trust Stack for the IoT is the combination of five Authentication IoT security and management elements (provided by others)
plus
TrustCentral’s Authorization IoT building blocks
The Trust Stack for the IoT
PKI
The key foundation of the Trust Stack is Public Key Infrastructure (PKI). PKI is also the foundation of security for the Internet itself. The Platform will incorporate a complete X.509 PKI and Privilege Management Infrastructure (PMI).
DEVICE ROOT OF TRUST
IoT security begins at the device level with a unique, securely stored or accessible, non-volatile ID or private key in order to provide a secure root of trust. For an IoT device, such a root of trust can be achieved at the chip level through the use of one or more existing technologies. In one example, a digital “fingerprint” can be created using a small portion of a device’s silicon with the application of PUF (Physically Unclonable Function) technology. The PUF becomes a digital “anchor” to provide vital, security-supporting capabilities. Another method of establishing a root of trust is key injection into the chip during its production process (key injection must be executed with precision using industry standard procedures).
To take full advantage of the Security Ecosystem features, IoT devices are provisioned with crypto capabilities allowing them to perform functions such as encryption and decryption of data, digital signing and other functions. Provisioning should include the installation of public keys to trust (not only for trusted firmware updates but for secured needs, such as for an IoT device to allow trusted access by a maintenance group). Crypto implementations must also anticipate future threats from quantum computing to present day crypto algorithms.
(For human-controlled devices such as computers, tables and mobile devices, other technologies can be used to provide a comparable root of trust.)
DEVICE IDENTITY CERTIFICATION
The system provides for the authentication of a cryptographically-secure, non-repudiable identity tied directly to each IoT end-point. For example, an identity may be as a particular vehicle ECU (Electronic Control Unit), sensor, etc. Validation of that identity is confirmed by the issuance of a PKI certificate. (Note that the Security Ecosystem can manage the process of authenticating identities and issuing these certificates.)
SECURITY BEST PRACTICES
The TrustCentral solution implementation includes the adoption of industry best practices. One of the most important best practices is secure boot. Another is secure, signed firmware updating and management. Every IoT device within a vehicle (or devices within external infrastructure that a vehicle might interface with, etc.) should be updatable with authenticated, signed firmware. There are a variety of standards that can be used to accomplish this including Over the Air (OTA). Further, firmware updates may be executed on different firmware types (e.g., boot images, higher-level embedded code and underlying software components) as well as being accomplished in chunks in order to minimize device power consumption.
ANOMALY DETECTION, FAILURE REPORTING
Anomaly detection of IoT events or observations that do not conform to expected patterns is highly recommended. Also software failures (such as a buffer overrun induced by an attacker probing security) need to be reported to central failure analysis system.
AUTHORIZATION INNOVATIONS
PRIVILEGE MANAGEMENT INFRASTRUCTURE (PMI)
TrustCentral’s innovative IP for IoT is built on the X.509 standard of Public Key Infrastructure (PKI) and Privilege Management Infrastructure (PMI).
ATTRIBUTE AUTHORITY
The Attribute Authority (AA) is fundamentally the conductor of most of TrustCentral’s magic. It performs many unique functions, including: acting as a Trusted Third Party mediating service provider for devices/endpoints; running the Inviter-Invitee Protocol to authenticate communication lines between paired endpoints; establishing and authenticating unique identities of IoT devices (or other computing devices); uniquely associating cryptographic keys to their identities; providing a trusted exchange of authenticated pubic keys between endpoints; arranging for the issuance of certificates; uniquely associating a PKI certificates and/or attribute certificates with endpoints, communication lines, groups, etc. as needed; as well as performing other functions.
INVITER-INVITEE PROTOCOL
Inviter-Invitee Protocol processing is used between two IoT devices (or other endpoints) for the purpose of creating Secure Communication Lines (see the next section). The Protocol addresses the challenge of authenticating relationships between devices with cryptographic certainty (whether the devices are remote and/or local). Inviter-Invitee Processing utilizes elements of Foundational Security and employs a methodology that thwarts man-in-the-middle attacks. Completion includes acceptance of any digital agreement(s) proffered by the inviter. Inviter and Invitee Processing generates digital audit trails. This standards-based system enables non-repudiation of endpoint events and data to be adjudicated effectively by external parties.
SECURE COMMUNICATION LINES
Securing communication from an IoT device has historically been achieved from a central point to each endpoint device (a one-to-many relationship). TrustCentral could also do this, however as compared to a common, centrally managed PKI, the Security Ecosystem’s innovation technology adds a innovative capability by providing endpoints with the ability to authenticate paired relationships with each other through the application of TrustCentral’s patented Inviter-Invitee Protocol. Upon the successful completion of the Inviter-Invitee Protocol, a secure, persistent, authenticated communication line is established between the two endpoints. This comprehensive application creates multiple one-to-one relationships that can grow to an effectively unlimited number of such authenticated pairs. Communication lines are created on an as-needed-basis.
Communication Lines are characterized by endpoints with context-specific identities that are typically governed by an end-to-end digital agreement. They are auditable, brokered, trusted-relationships where such relationships/digital agreements can each stand-alone, for privacy purposes, or can leverage the build-up of identity confidence levels across relationships. The Security Ecosystem’s Attribute Authority (AA) acts as a Trusted Third Party mediating service provider for users/devices in running the Inviter-Invitee Protocol used to authenticate each communication line by: (a) establishing and authenticating unique identities of IoT devices (or computing devices); (b) uniquely associating cryptographic keys to their identities and those of their invitees; (c) providing a trusted exchange of authenticated pubic keys between the endpoints (d) uniquely associating an attribute certificate with each communication line.
Communication Lines detail the authenticated relationship established between each pair of endpoints; this is not a communication protocol, rather it is used independently of existing network/IoT communications protocols without conflict.
The application of communication lines permits a fundamental and beneficial change when using TLS for secure sessions between endpoints. Communication lines enhance authentication and security by advancing from the traditional principle of “Trust on First Use” (TOFU) to an improved paradigm available through the leveraging of the embedded, long-lived pre-pairing of communication lines and the result being TrustCentral’s new principal of “Trusted Before First Use”.
CERTIFICATE-ENFORCED WHITELISTING
Building on the Secure Communication Line innovation, Certificate-Enforced Whitelisting of IoT devices can be achieved whereby IoT devices only talk to previously authenticated devices and no others. Non-authenticated and potentially malicious endpoints (whether IoT or not) will not have a digital certificate therefore a Certificate-Enforced Whitelisting-compliant endpoint device will not communicate with it. Thus devices become undiscoverable by random scanning (e.g., SHODAN) and security is increased. Hacking and spoofing becomes more difficult: no communication line, no certificate, no access.
TrustCentral’s Anti-Spoofing architecture is supported by a certificate-enforced model based on authenticated communication lines. The result could be considered “whitelisting on steroids”.
A key product of Certificate-Enforced Whitelisting is that device trust is enhanced by making adversarial intrusion more difficult to succeed.
SECURE IoT DEVICE GROUPS
Devices/endpoints may be grouped into different groups and subgroups based on predetermined criteria. This can provide unique stratifications for security and management of devices. Each group membership is established through respective attribute certificates of the respective devices, which may include associated rules for group membership in the attribute certificate. Device group management provides more than one layer of security by permitting communication only between designated groups and/or subgroups. Also, the use of rules associated with communication lines and/or groups may further direct the handling of information for data privacy, for example, by including a requirement(s) for encryption of data; or directing from devices/endpoints may or may not receive specified data. TrustCentral’s technology provides granularity of communication and data security requirements in such use cases.
In one example, a “group” could include all of the IoT devices in a single vehicle and a subgroup might encompass the rear sensors. In another group, authenticated personnel could be assigned to a “Maintenance Group” with that group’s membership manageable in real-time (any Maintenance Group member could be trusted by a vehicle’s IoT devices with that trust being confirmed by the “trusted” group attribute. Other examples of possible groups are: the traffic lights in a city; all of the vehicles of a single OEM; a city’s fire engines; a defined group of roadway sensors; etc.
TRUSTWORTHINESS AND REPUTATION
Through the use of secure communication lines to establish relationships between known endpoints, trust and reputation become usable as reliable factors. Performance metrics of established communication lines affect reputation of participating endpoints. Reputation of devices and of users is dependent upon perceived device robustness (which may change during the life-cycle of a given instance of a device), payment timeliness, and service performance timeliness, completeness, accuracy and other factors. The measurement of endpoint reputation, is critical for many reasons, not the least of which is that reputation is the glue that securely binds blockchain and IoT
CROSS-CERTIFICATION
The Security Ecosystem can be extended across multiple enterprise and/or government entities. To support this there will be more than one PKI in use (which means more than one certification authority issuing PKI and attribute certificates). The extension of IoT Device, IoT Device Group and other endpoint trust relationships will require coordination between PKI’s. These PKI’s will each incorporate a TrustCentral proprietary Attribute Authority (AA). The AA will coordinate and cross-certify Secure Communication lines, Secure Groups and other Security Ecosystem proprietary relationships, thus extending device and group trust from one PKI to another. [This process becomes involved for the automotive use case; see Autonomous Vehicles & V2X].
TRUSTCENTRAL SOLUTION PLATFORM
These described components encompass the Security Ecosystem Platform with the addition of one vital element: TrustCentral’s proprietary Attribute Authority (AA). This Attribute Authority allows the Security Ecosystem Platform to use PKI and PMI in innovative ways. For example, the AA acts as the trusted third party to facilitate and authenticate the secure exchange of public keys between endpoints. The AA also acts as the trusted third party during the Inviter-Invitee Protocol that is used to authenticate and establish persistent, secure relationships between endpoints. It is the AA (coordinating each of the PKI’s of multiple Security Ecosystems) that causes device trust to be fully extended through cross-certification.
All of these capabilities are made available for external use and management through the TrustCentral API (refer to the API page on this site).
ACCOUNTING ELEMENTS
TrustCentral will deliver a robust IoT Accounting solution, including capabilities to monitor and record each device’s activity. This solution is designed with robust layered auditability measures, will make extensive use of digital signing capabilities, while also providing support for granular accounting metrics. The system will provide trusted records, devices and data.