• State Not Answered
  • Replies 12 replies
  • Subscribers 69 subscribers
  • Views 2527 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 305907
Options

Secure connection to AWS IoT over WiFi

Johannes Hutter

We are using nRF5340 and nRF7002 to build a WiFi connected device that integrates into our backend via AWS IoT Core. We are evaluating what the best way is to secure the private key for the TLS client authentication and whether we need an external Hardware Security Module for that or can support everything with the nRF5340 itself.

In general I see two possibilities to do the handshake:

1. Store the private key in a secure storage and have the TLS handshake executed in a secure environment

2. Generate a symmetric key in a secure environment and store it in a secure storage. Encrypt the private key with the symmetric key in the secure environment and store the encrypted private key on flash. Get the private key decrypted before connection and keep it only in memory, but never on flash in plain text.

The first one would obviously be desirable, because the key would never leave the secure environment after provisioning.

According to the docs, the nRF5340 is equipped with a KMU that could be used for securely storing keys and Cryptocell that could be used to perform the secure operations of signing, decrypting and encrypting and with TFM it should be possible to set up a secure environment.

So my questions are mainly:

* How secure is the usage of the functionality provided in the nRF5340 compared to an external dedicated Hardware Security Module?

* Is there a way (or even a sample) for the nRF5340+nRF7002 to transparently set up a client-authenticated TLS tunnel using a private key stored in the KMU?

* How does the Nordic Security Module relate to TFM?

Thanks already for the support!

  • 0 in reply to erichotterbeefcurry

    Hey Eric,

    yes, with TLS credentials I mean the client certificate, private key and CA certificate. For developing and getting started it makes totally sense to just compile in the files with CONFIG_AWS_IOT_PROVISION_CERTIFICATES, but since you have to have a separate set of cert/key for each device and you don't want to have your key as part of the unencrypted program, I wouldn't use this config in production.

    We went with the AWS IoT fleet provisioning by claim (https://docs.aws.amazon.com/iot/latest/developerguide/provision-wo-cert.html) and provide the bootstrap credentials over a custom BLE GATT service. So basically during production, a provisioning device (a Raspberry Pi) connects over BLE to the product, sends WiFi credentials and a signed payload containing the bootstrap credentials. With those credentials we connect to AWS IoT and request the certificate/key and the thing registration (see https://aws.github.io/Fleet-Provisioning-for-AWS-IoT-embedded-sdk/v1.1.0/fleet_provisioning_design.html).

    You could also pre-generate the things and credentials and just push them on the device during production, but in the end you always re-implement the fleet provisioning process again... So I guess it is a bit of a trade-off where you want to have the complexity during production.

    Implementing this is a bit involved, since I had to touch the aws_iot library as well, but if there is interest, I can check whether we can make the implementation public

  • 0 in reply to Johannes Hutter

    Hi Johannes,

    Ahh ok, I see, we are not in production stage yet so I agree with you that when we reach the stage a more secure method should be used. The AWS IoT fleet provisioning looks like something we can utilize too. We are definitely interested to see and learn how you've implemented this... it'd be great if you can check to see if it can be made public, and thank you for the detailed answer!

    -Eric

Related