Assigning Identity
Various strategies can be used to assign device identities, although critical requirements include consideration for scalability, interoperability, and robust security features. Scalability is increasingly important as the number of IoT devices grows exponentially. A suitable device identification scheme needs to be able to handle large numbers of devices without sacrificing performance or security. Efficient management capabilities are also needed, such as device registration, provisioning, and revocation, to ensure easy administration of the device ecosystem.
One common approach to device identification is to assign Universally Unique Identifiers (UUIDs), also known as globally unique identifiers (GUIDs), during the manufacturing process, to be embedded in hardware or firmware. A common form of UUID is defined in ITU-T X.667 and ISO/IEC 9834-8. It comprises a 128-bit (16 octets) string expressed as hexadecimal digits with a hyphen separating the different fields. The coding includes a timestamp and the MAC address of the generating computer. An example may be: f81d4fae-7dec-11d0-a765-00a0c91e6bf6. Because there is no centralised authority for generating UUIDs, it is possible that two devices may share the same UUID, although the probability is extremely small.
As we will discuss in the next article in the IoT Security Series, the device identity will be the basis for the authentication and authorisation of the device, so this identity must have some properties. It must be immutable, non-falsifiable, and must also not be cloneable. For implementing these properties, some cryptographic techniques can be used employing asymmetric key pairs. The unique private keys are assigned during production and securely stored on the device while corresponding public keys are used for authentication and secure communication with other entities in the IoT ecosystem. One example is X.509 certificates.
X.509 is a standard format for public key certificates, first defined by the International Telecommunications Union (ITU). Now adapted for Internet use, the certificates bind cryptographic key pairs to an entity's identity. This facilitates strong authentication by verifying the identity of the certificate holder. The associated encryption and integrity mechanisms enable secure communication, ensuring authenticity, integrity, confidentiality, and protection against tampering or eavesdropping. Certificate authorities (CAs) hold the private encryption keys needed to issue and sign certificates and thus establish a chain of trust.
Managing Identification and Identities
There is no single organisation appointed to administrate IoT device identities. Identity providers can vary depending on the specific deployment and requirements of the IoT ecosystem. In practice, there is a multitude of providers that offer services for managing IoT device identities and authentication.
Different organisations or platforms may provide their own identity solutions tailored for IoT, and they can act as identity providers for their respective IoT devices. They may offer additional, related services like device registration, authentication, access control, and other identity management functionalities.
Popular identity providers include well-known cloud computing and IoT service providers. IoT solutions deployed on their platforms may use their services to handle device identity management. On the other hand, well-known certificate authorities (CAs) such as DigiCert, GlobalSign, and Keyfactor offer IoT identity and security solutions. These include the management of X.509 certificates.
In addition, manufacturers of ICs such as microcontrollers offer solutions that allow them to act as IoT device certificate authorities. The devices integrate hardware-based security features, such as secure storage, cryptographic algorithms, and key management capabilities that allow the manufacturer to act as a CA and so issue and manage X.509 certificates for IoT devices directly on the microcontroller IC. Using such solutions can simplify the integration of secure identities into IoT devices and enhance the overall security of IoT ecosystems.
Alternatively, device identity can be assigned during provisioning, as the device is configured for attachment to the network. The identity can be securely generated within a secure element or trusted platform module (TPM), which may be included as part of the IoT device’s circuitry. The associated cryptographic keys are then securely provisioned.