Provisioning Challenges and the Internet of Things
Provisioning presents some tricky challenges for IoT system developers. Learn the ins and outs of various provisioning options, including cloud-based approaches.
Among the challenges in the Internet of Things (IoT) system design space is provisioning. As more device manufacturers turn to cloud provisioning, they’ve discovered that balancing scalability and security are serious obstacles.
This article explores the relationship between provisioning and IoT; reviews the pros and cons of different provisioning approaches; and evaluates the types of provisioning and when they are performed. Finally, the article presents an innovative cloud-based provisioning approach through Infineon.
Figure 1. The natural complexity of IoT devices can make provisioning difficult. Image provided courtesy of Pixabay
Provisioning for the Cloud
For IoT devices, provisioning configures a device to connect to a network and to the appropriate applications. The three basic steps in provisioning are:
- Registration: includes assigning a unique identity, typically in the form of an X.509 certificate with a unique public and private key to the device
- Configuration: includes aspects such as network settings, security settings, and installation of any software updates
- Deployment: includes where the device is physically installed, powered on, connected to the network, and able to communicate with the cloud
Issues with IoT Device Provisioning
The ability to securely connect IoT devices to the cloud and to scale the process has proven a challenge, especially when cost-effective solutions are sought. To best understand these issues, a review of the types of IoT provisioning, including their pros and cons, is in order.
Types of IoT Provisioning
There are three basic approaches to IoT provisioning:
- Manual provisioning
- Over-the-air (OTA) provisioning
- Cloud-based provisioning
Manual provisioning requires device-specific information (e.g., keys or unique identifiers) to be manually entered into the system. While this approach is suitable for small batches of devices, it becomes a problem for large-scale device deployments. On the other hand, it is a very simple approach that does not require complex infrastructure and provides a very high level of control over the provisioning process. At the same time, it scales poorly and is very prone to human error.
OTA provisioning, also known as zero-touch or automatic provisioning, occurs when devices automatically request and download their configuration when they first connect to a network. The server, usually owned by the company providing the provisioning service, may use server space leased from a cloud service provider OTA provisioning is highly scalable and eliminates the human error issues associated with manual provisioning. Potential issues include security because the provisioning server can become a target for online attacks.
Cloud-based provisioning is a subset of OTA provisioning that exclusively uses cloud storage services and, in this article, involves a cloud identification service that combines secure private keys and certificates. It offers excellent scalability (which is ideal for large-scale device deployments) and automation as well as the ability to manage all devices through a single platform with tools for managing and monitoring devices. Potential issues with cloud-based provisioning include dependence on an internet connection, and just like OTA provisioning, potential security challenges. Still, cloud-based provisioning provides efficient scalability for large deployments and can be the most secure of the three approaches.
When Provisioning is Performed
Another factor related to provisioning involves when it is performed:
- Factory provisioning
- Pre-deployment provisioning
- Post-deployment provisioning
Factory provisioning, also known as pre-provisioning, takes place during the chip manufacturing process. While it allows a device to be used as soon as it has network access, it lacks flexibility and can cause problems if changes need to be made.
Pre-deployment provisioning offers a high level of customization, but major issues can arise if changes are made after deployment. This type of provisioning can be time-consuming and only works well for large-scale deployments. On the plus side, it supports thorough testing of IoT devices before deployment.
Post-deployment provisioning offers some of the customization available before deployment while supporting a high degree of flexibility. With this approach, security vulnerabilities can become a problem during configuration.
After deployment provisioning is the most flexible and adaptable of the approaches and works well for situations involving regular updates for security or functionality. This type of provisioning may involve significant complexity.
Provisioning for Certification Purposes
Assigning a certificate to a device is also an essential part of provisioning for IoT. Provisioning for certification typically involves generating a certificate request, submitting that request to a certification authority, and installing the signed certificate.
An important aspect of certification for IoT devices is how it provides authentication to ensure that the device is what it claims to be, thus preventing cybersecurity attacks such as man-in-middle, spoofing, and counterfeiting. It also supports encrypted communication between the device and the rest of the network. Finally, it allows for scalability, secure device management, and data integrity.
A Typical Solution for Secure Cloud-Based Pre-Provisioning
The typical approach to device-to-cloud onboarding using pre-provisioned certificates, as illustrated in Figure 2, is very long and complex––and difficult to perform at scale.
Figure 2. A typical approach for device-to-cloud onboarding. Image provided courtesy of Infineon
In this approach, a batch of pre-provisioned security chips with pre-provisioned certificates are ordered. Once the chips are received, the certificate for each chip has to be extracted during the device manufacturing process. Then, all the certificates must be recorded in a manifest file that is compatible with the product cloud. Next, the certificates must be manually provisioned to the product cloud. Finally, the IoT devices connect to their product cloud using the provisioned certificates.
Note that the process requires extracting the certificates from each individual chip and creating a compatible manifest file, followed by manual cloud provisioning. Each of these steps has the potential to introduce error. The process is also difficult to scale and time-consuming.
Using Pre-Provisioned Certificates and Secure Elements
A new approach from Infineon solves the scalability, time, potential for error, and security problems associated with IoT device provisioning while reducing complexity and costs. It makes use of a secure element, a highly secured, tamper-resistant companion device of an MCU used to store and protect confidential and cryptographic data, which serves to protect and isolate the private keys.
Secure element pre-provisioning is the process of configuring a secure element and enabling these chips to be claimed at the chip manufacturer rather than at the OEM manufacturing line. This process minimizes the error that can be introduced during provisioning.
Infineon’s OPTIGA Trust M Express service, combined with CIRRENT Cloud ID, utilizes automated pre-provisioning with no human intervention required. OPTIGA Trust M Express is an off-the-shelf security solution based on a certified secure element and pre-provisioned at Infineon’s Common Criteria certified facility. Note that CIRRENT Cloud ID is an Infineon cloud service that automates IoT device certificate registration and the commissioning of the device in the product cloud.
Product Cloud Commissioning
Infineon manufactures OPTIGA Trust M Express chips with pre-provisioned certificates, acting as a Certificate Authority in a Common Criteria certified facility. Customers get batches of standard, off-the-shelf OPTIGA Trust M Express chips together with a QR code that enables binding of the chip to an OEM.
Each customer claims their chips using the included QR code and after some initial setup the secure cloud provisioning becomes automated, taking just a few minutes to add a new reel of devices. IoT devices with these chips will connect automatically to the product cloud. This fully automated process is illustrated in Figure 3.
Figure 3. Infineon’s approach to device-to-cloud onboarding. Image provided courtesy of Infineon
In short, the Infineon approach will enable customers to claim these devices at manufacturing through Infineon cloud services instead of reading out information themselves.
Wirelessly Charged Devices
As another example, consider the provisioning of wirelessly charged devices. Infineon’s OPTIGA Trust Charge turnkey solution provides secured device authentication for inductive wireless charging according to the Qi 1.3 wireless charging standard, which requires a certificate chain provisioned into the end device. The goal is to protect IoT devices against fake chargers, supporting reliable product performance and enhancing user safety. A part of its authentication duties is the provisioning of both keys and a certificate chain required by WPC for certification.
Here is a detailed look at the provisioning process for wirelessly charged devices:
- Obtain a unique Manufacturer Certification Authority Certificate signed by WPC Root CA
- Create unique manufacturer key pair
- Perform front-end wafer test
- Create chip-unique public-private key pairs
- Issue product unit certificates
- Install the private key associated with the Product Unit Certificate (including the manufacturer's CA Certificate and the number of roots in the CA) in the chip
- Package and perform back-end testing
- Supply chips to Authorized Manufacturers for use in Qi-certified product
Simplifying, Scaling, and Securing
Two of the most important pain points for provisioning IoT devices involve scalability and security. Infineon’s approach combines off-the-shelf security solutions based on certified secure elements pre-provisioned at Infineon’s common criteria certified facility. The approach automates IoT device certificate registration and the provisioning of the device. These products simplify device-to-cloud / industry-standard authentication mechanisms, support scaling, and provide protection for IoT devices.
Industry Articles are a form of content that allows industry partners to share useful news, messages, and technology with All About Circuits readers in a way editorial content is not well suited to. All Industry Articles are subject to strict editorial guidelines with the intention of offering readers useful news, technical expertise, or stories. The viewpoints and opinions expressed in Industry Articles are those of the partner and not necessarily those of All About Circuits or its writers.