• State Not Answered
  • Replies 12 replies
  • Subscribers 69 subscribers
  • Views 2524 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 305907
Options

Secure connection to AWS IoT over WiFi

Johannes Hutter

We are using nRF5340 and nRF7002 to build a WiFi connected device that integrates into our backend via AWS IoT Core. We are evaluating what the best way is to secure the private key for the TLS client authentication and whether we need an external Hardware Security Module for that or can support everything with the nRF5340 itself.

In general I see two possibilities to do the handshake:

1. Store the private key in a secure storage and have the TLS handshake executed in a secure environment

2. Generate a symmetric key in a secure environment and store it in a secure storage. Encrypt the private key with the symmetric key in the secure environment and store the encrypted private key on flash. Get the private key decrypted before connection and keep it only in memory, but never on flash in plain text.

The first one would obviously be desirable, because the key would never leave the secure environment after provisioning.

According to the docs, the nRF5340 is equipped with a KMU that could be used for securely storing keys and Cryptocell that could be used to perform the secure operations of signing, decrypting and encrypting and with TFM it should be possible to set up a secure environment.

So my questions are mainly:

* How secure is the usage of the functionality provided in the nRF5340 compared to an external dedicated Hardware Security Module?

* Is there a way (or even a sample) for the nRF5340+nRF7002 to transparently set up a client-authenticated TLS tunnel using a private key stored in the KMU?

* How does the Nordic Security Module relate to TFM?

Thanks already for the support!

Parents
  • 0

    Hi Johannes, I am working on integrating nrf7002 to my team's backend via AWS IoT Core too. I'm using a nRF7002DK and it's been hard to setup the net/aws_iot library because all examples I can find are nrf9160s using modems. Can I ask if the aws_iot library is what you used to set up the connection with AWS, and if it not, could you please give some guidance on how I should get the nrf7002 connected to AWS? Thank you so much, and I hope you have found a great solution for the problem you described in this post!

  • 0 in reply to erichotterbeefcurry

    Hey!

    Yes, I used the net/aws_iot library for the connection. Some of the pitfalls I had to debug the most probably are:

    • Disable CONFIG_POSIX_API, but enable CONFIG_NET_SOCKETS_POSIX_NAMES
    • Enable CONFIG_NET_SOCKETS_SOCKOPT_TLS and CONFIG_TLS_CREDENTIALS and set your credentials with tls_credential_add(CONFIG_AWS_IOT_SEC_TAG, TLS_CREDENTIAL_CA_CERTIFICATE, AWS_CA_CERT, sizeof(AWS_CA_CERT)) etc.
    • Make sure your certificates and keys are in the right format (single null-terminated string, in PEM format with line feeds at the end of a line).
    • Enable CONFIG_MQTT_CLEAN_SESSION to get the subscriptions enabled
    • You cannot dynamically subscribe after connection with the library, so you have to set the number of subscriptions you want to have exactly and make sure you have the policy permissions to subscribe to them.
    • I had to increase the number of posix file descriptors (CONFIG_POSIX_MAX_FDS) and disable the send timeout (CONFIG_AWS_IOT_SEND_TIMEOUT)

    I went with storing the secrets encrypted on the flash and accepting them being plain text while in memory.

    If you have any specific question, let me know, maybe I can help

  • 0 in reply to Johannes Hutter

    Hi Johannes, thank you so much for replying! I followed your suggestions and the library is building&flashing to the board now! The only part I didn't do was the TLS credentials, I wasn't how the secrets (do you mean the aws private key here?) can be flashed, could you elaborate a bit more on how you provision the certificates onto nrf7002? It seems if I use the CONFIG_AWS_IOT_PROVISION_CERTIFICATES option, it will make the function calls to tls_add_credentials too... Other than that, things look great and I am moving forward with the aws_iot library in our program. Thanks so much again for replying, your answer really helped!

    -Eric

  • 0 in reply to erichotterbeefcurry

    Hey Eric,

    yes, with TLS credentials I mean the client certificate, private key and CA certificate. For developing and getting started it makes totally sense to just compile in the files with CONFIG_AWS_IOT_PROVISION_CERTIFICATES, but since you have to have a separate set of cert/key for each device and you don't want to have your key as part of the unencrypted program, I wouldn't use this config in production.

    We went with the AWS IoT fleet provisioning by claim (https://docs.aws.amazon.com/iot/latest/developerguide/provision-wo-cert.html) and provide the bootstrap credentials over a custom BLE GATT service. So basically during production, a provisioning device (a Raspberry Pi) connects over BLE to the product, sends WiFi credentials and a signed payload containing the bootstrap credentials. With those credentials we connect to AWS IoT and request the certificate/key and the thing registration (see https://aws.github.io/Fleet-Provisioning-for-AWS-IoT-embedded-sdk/v1.1.0/fleet_provisioning_design.html).

    You could also pre-generate the things and credentials and just push them on the device during production, but in the end you always re-implement the fleet provisioning process again... So I guess it is a bit of a trade-off where you want to have the complexity during production.

    Implementing this is a bit involved, since I had to touch the aws_iot library as well, but if there is interest, I can check whether we can make the implementation public

  • 0 in reply to Johannes Hutter

    Hi Johannes,

    Ahh ok, I see, we are not in production stage yet so I agree with you that when we reach the stage a more secure method should be used. The AWS IoT fleet provisioning looks like something we can utilize too. We are definitely interested to see and learn how you've implemented this... it'd be great if you can check to see if it can be made public, and thank you for the detailed answer!

    -Eric

Reply Children
No Data
Related