2

I'm working on an IoT product that uses the cloud once finished. Each of these devices has a serial number, from which a key is derived. This key is then stored on the device itself and in the cloud. These two mechanisms are working flawlessly and are secure when I'm producing the devices by myself.

Since this is not really scalable, I want the devices to get produced in China for obvious reasons, but the thing is: I don't really trust the producers there.

Right now the key generation is on a PC from which I can read the serial with NFC and then generate the key. To have a PC in China for this isn't the best idea in my opinion. (Even encrypted etc.) As soon as someone has physical access to the computer, it isn't yours anymore.

Does anyone have tips how to secure such a process? In particular:

  • The key should be generated and stored on the device in a secure manner. The producer should not be able to alter the process.

  • The key should be transmitted automatically to the cloud. Is a normal TLS connection secure enough or any other suggestions?

Or maybe someone has general advice in best practices for a secure supply chain.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Deserializer19
  • 31
  • 1
  • 1
    How do you know if this process is secure? You said your key is derived from a serial. If you produce the units yourself, your production is severely limited, and thus your serial range will be very small - and thus also your keyspace. –  Oct 29 '19 at 09:12
  • 1
    All other considerations aside, it sounds like you have designed the device to use symmetric encryption, when you could use asymmetric. The producer sends the serial number to your service, you generate a public/private key. The private key is in the cloud, and you send the producer the public key. Would that work? – schroeder Oct 29 '19 at 11:16
  • You might want to do some research / have a look into PKI (Public Key Infrastructure) and IAM (Identity and Access Management) for IoT devices. I assume there are many ways to implement this, depending on the details of your specific requirements and use cases. – DrKaoliN Oct 29 '19 at 11:37
  • Also, in my opinion, externalizing the generation of _secret_ keys to third parties does not sound like a secure practice in itself. Have you considered the option of decoupling device production from key generation? – DrKaoliN Oct 29 '19 at 12:02
  • 1
    And secondly, if you don't trust the hardware producers, can you really trust the devices they are making? – DrKaoliN Oct 29 '19 at 12:06
  • @MechMK1 Let's just assume that it is for this case. – Deserializer19 Oct 29 '19 at 17:40
  • @schroeder That sounds like a good idea to consider. I'll have a look at it. – Deserializer19 Oct 29 '19 at 17:42
  • @DrKaoliN Could you explain such a decoupling process? Do you mean like the device is produced in China and we add the key by ourselves at our own place? – Deserializer19 Oct 29 '19 at 17:44

0 Answers0